Exposing unauthenticated Docker daemon sockets directly to the internet remains a guaranteed method for losing a cluster.
🧯 CanisterWorm Wiper Escalation
While previous TeamPCP campaigns focused on routine persistence, their toolset now features a strictly destructive TTP. The CanisterWorm payload explicitly targets Iranian Kubernetes environments, shifting the post-exploitation objective to deploying wiper malware and establishing permanent node backdoors.
The access path relies on scanning for open TCP port 2375. Upon finding an exposed Docker API, attackers schedule a rogue container named `kamikaze` alongside malicious, privileged DaemonSets. This grants the administrative node control required to execute the wiping routines.
Cluster Defense
Block public access to port 2375 at the firewall immediately. Operators need to actively hunt for running `kamikaze` containers and audit cluster configurations for newly deployed, unauthorized privileged DaemonSets. Running unauthenticated container engines on the public perimeter ensures a mandatory environment rebuild.