The "CanisterSprawl" Worm: Self-Propagating Credential Theft Across

The "CanisterSprawl" worm represents a sophisticated, self-propagating threat designed for widespread credential theft across hybrid infrastructure, specifically targeting misconfigured containerized environments, cloud resources, and traditional on-premises systems. Its primary objective is the reconnaissance and exfiltration of authentication material, including API keys, SSH keys, cloud provider credentials, and user account passwords, enabling persistent access and extensive lateral movement within compromised networks. CanisterSprawl leverages a multi-stage infection chain, beginning with initial access through exposed services or targeted phishing, followed by automated scanning and exploitation routines that prioritize container orchestration platforms and adjacent infrastructure for rapid expansion.

Initial Vector and Infiltration Mechanisms

CanisterSprawl's initial compromise often exploits a combination of exposed attack surface and social engineering. Common entry points include internet-facing services with weak or default credentials, such as RDP (CVE-2019-0708 for older unpatched systems, though newer attacks leverage Postigo-undetected phishing lures for credential harvesting), SSH, and administrative interfaces for container registries or orchestration dashboards. An alternative, and increasingly prevalent, vector is the exploitation of vulnerabilities in widely deployed web applications or CI/CD pipelines. For instance, a hypothetical vulnerability, CVE-2026-34197, affecting an authentication bypass in specific versions of Jenkins or GitLab CI runners, could serve as a direct conduit for initial payload delivery. A more detailed analysis of similar supply chain attack vectors can be found in our discussion on the Vercel breach.

Upon gaining initial access, CanisterSprawl deploys a lightweight dropper, typically disguised as a legitimate system utility. This dropper's primary function is to establish persistence and download the main worm payload. On Linux systems, this might involve modifying .bashrc, creating new cron jobs, or installing systemd services. On Windows, scheduled tasks or registry run keys are often targeted. The dropper frequently uses polymorphic techniques to evade static signature detection, dynamically generating its payload components or employing shellcode loaders.

# Example of a persistence mechanism on Linux via cron
(crontab -l 2>/dev/null; echo "@reboot /usr/bin/python3 /opt/sys_agent/main.py &") | crontab -

# Example of a persistence mechanism on Windows via scheduled task (PowerShell)
schtasks /create /tn "SystemUpdateService" /tr "powershell.exe -NoP -W Hidden -File C:\ProgramData\Updater\service.ps1" /sc ONLOGON /ru SYSTEM /f

Propagation Mechanics: From Host to Canister and Beyond

The core innovation of CanisterSprawl lies in its ability to pivot seamlessly between traditional host-based environments and containerized infrastructure, leveraging stolen credentials at each stage for lateral movement and further propagation. The worm employs a modular architecture, with specialized components for different propagation vectors.

Lateral Movement via Traditional Network Protocols

Once established on an initial host, the `SprawlNet` module initiates a reconnaissance phase. It scans local networks and connected subnets for accessible services such as SSH (port 22), RDP (port 3389), SMB (ports 139, 445), and database services (e.g., PostgreSQL on 5432, MySQL on 3306). Credential harvesting on the initial host provides the `SprawlNet` module with a critical resource: a collection of usernames, NTLM hashes, and SSH private keys. Tools like Mimikatz (on Windows) or custom Python scripts parsing SSH agent sockets and ~/.ssh/ directories (on Linux) are instrumental in this phase. The worm then attempts to authenticate to identified services using a combination of brute-force attacks (if weak passwords are found), password spraying with harvested credentials, and "pass-the-hash" or "pass-the-ticket" techniques on Windows domains.

For example, to exploit SMB, `SprawlNet` might use a harvested NTLM hash with tools like `pth-smbclient` from the Impacket suite:

# Using pth-smbclient for lateral movement with stolen NTLM hash
pth-smbclient.py -hashes :<NTLM_HASH> //<TARGET_IP>/C$ -U <USERNAME>

Successful authentication leads to the deployment of the dropper on the new host, restarting the infection cycle. The worm also actively searches for configuration files containing sensitive data, such as `~/.kube/config`, `~/.aws/credentials`, `docker-compose.yml`, and various CI/CD configuration files.

Container and Orchestration Exploitation

The "Canister" aspect of CanisterSprawl becomes prominent here. The worm actively targets container runtimes (Docker, containerd, CRI-O) and orchestration platforms (Kubernetes, OpenShift, Nomad). If a compromised host is a Docker host, the worm attempts to:

1. Escape Containers: If initially compromised within a container, it will attempt container escapes (e.g., exploiting CVE-2022-0492 or misconfigurations like a privileged container with CAP_SYS_ADMIN).
2. Access Docker Daemon: From a host, it checks for accessible Docker sockets (/var/run/docker.sock). If found, it can list running containers, inspect their configurations, and even launch new privileged containers to establish persistence or extract secrets.

# Listing containers via Docker socket
docker -H unix:///var/run/docker.sock ps -a

For Kubernetes environments, CanisterSprawl prioritizes:

1. Kubeconfig Theft: Harvesting ~/.kube/config files, which contain cluster credentials.
2. Service Account Token Exploitation: If running within a pod, it attempts to read the service account token mounted at /var/run/secrets/kubernetes.io/serviceaccount/token. This token is then used to interact with the Kubernetes API server.
3. API Server Access: Using stolen kubeconfigs or service account tokens, the worm enumerates namespaces, pods, deployments, and secrets. It specifically looks for secrets containing database credentials, API keys, or cloud provider credentials.
4. Pod Creation/Modification: With sufficient permissions, CanisterSprawl can deploy new malicious pods, often disguised as system utilities, to maintain persistence or launch further attacks. It may also modify existing deployments to inject sidecar containers for data exfiltration or proxying C2 traffic.

# Example of using a service account token to query Kubernetes API
KUBERNETES_PORT_443_TCP_ADDR="kubernetes.default.svc"
TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
curl -sSk -H "Authorization: Bearer $TOKEN" https://$KUBERNETES_PORT_443_TCP_ADDR/api/v1/namespaces/default/secrets

The worm also specifically targets CI/CD pipelines, which often have elevated permissions to deploy applications and manage infrastructure. Compromising a Jenkins controller or a GitLab runner (potentially via CVE-2026-34197 or similar vulnerabilities) can provide access to a treasure trove of credentials, build artifacts, and deployment scripts, leading to a zero-day exploit of the entire development and production environment.

Cloud Environment Targeting

Given the increasing adoption of hybrid cloud architectures, CanisterSprawl includes modules specifically designed for public cloud environments (AWS, Azure, GCP). After harvesting credentials like AWS access keys (~/.aws/credentials), Azure service principal credentials, or GCP service account keys, the worm uses them to interact with cloud APIs. It enumerates cloud resources, particularly focusing on:

• IAM roles and users with administrative privileges.
• Storage buckets (S3, Azure Blob Storage, GCP Cloud Storage) for data exfiltration.
• Virtual machines and container registries for further propagation.
• Serverless functions (Lambda, Azure Functions, Cloud Functions) which can be repurposed for C2 or resource enumeration.

The worm might leverage tools similar to Zondex for internet-wide scanning to identify exposed cloud resources associated with the victim organization, correlating this data with harvested internal credentials to broaden its attack surface.

Credential Harvesting and Exfiltration

The `CanisterGrab` module is the dedicated component for credential harvesting. It employs a wide array of techniques depending on the operating system and environment:

• Windows:
  • LSASS dumping (Mimikatz, ProcDump).
  • Registry hive extraction (SAM, SECURITY).
  • Browser credential stores (Chrome, Edge, Firefox).
  • RDP session hijacking.
• Linux:
  • SSH private keys (~/.ssh/*id_rsa*, ~/.ssh/config).
  • .bash_history and other shell histories for sensitive commands.
  • Cloud provider configuration files (~/.aws/credentials, gcloud config).
  • API keys found in application configuration files (e.g., .env files, config.py).
  • Container secrets (Kubernetes secrets, Docker Swarm secrets).
  • Environment variables within running processes or containers.

# Example of searching for sensitive files on Linux
find / -name "*id_rsa*" -o -name "*.kubeconfig" -o -name "*aws/credentials*" 2>/dev/null

Exfiltrated credentials and sensitive data are typically compressed, encrypted, and then transmitted to attacker-controlled command and control (C2) infrastructure. This C2 communication often mimics legitimate traffic, using protocols like DNS over HTTPS (DoH), ICMP tunneling, or by establishing connections through compromised legitimate services acting as proxies. For anonymity and to evade detection, the worm may route its C2 traffic through a network of proxies, potentially utilizing services similar to GProxy to obfuscate its origin and destination. Data exfiltration to cloud storage services (e.g., a newly created S3 bucket or an attacker-controlled FTP server) is also common.

Persistence and Evasion Techniques

CanisterSprawl employs robust persistence mechanisms to ensure continued access:

• Scheduled Tasks/Cron Jobs: As demonstrated, these are primary methods.
• Service Creation: Installing new services (systemd, Windows Services) disguised as legitimate system components.
• Rootkits: On Linux, rudimentary userland rootkits might be deployed to hide processes, files, or network connections.
• Binary Patching: Modifying legitimate binaries to inject malicious code.
• Container Image Backdooring: Injecting malicious layers into commonly used container images within private registries.

Evasion techniques include:

• Polymorphism: Constantly changing payload signatures.
• Obfuscation: Using packers, crypters, and string obfuscation to hide malicious code.
• Living Off The Land (LOTL): Utilizing legitimate system tools (PowerShell, WMI, curl, `net.exe`, `tasklist.exe`) for reconnaissance, execution, and lateral movement, making detection challenging.
• Anti-Analysis: Detecting virtual machines, debuggers, and sandboxes, and altering behavior accordingly.

Mitigation Strategies and Detection

Defending against a sophisticated worm like CanisterSprawl requires a multi-layered approach focusing on proactive security, robust access controls, and continuous monitoring. A strong defense against such threats often begins with a thorough understanding of one's own attack surface. Secably's external attack surface management (Secably EASM) capabilities, accessible via the Secably EASM API, can help organizations identify and remediate exposed services that could serve as initial compromise vectors. Organizations are encouraged to start a free EASM scan to identify their current exposure.

Key mitigation strategies include:

• Principle of Least Privilege: Implement strict access controls for all users, services, and applications, especially within containerized and cloud environments. Service accounts in Kubernetes should have minimal necessary permissions.
• Strong Authentication: Enforce multi-factor authentication (MFA) everywhere possible, particularly for administrative interfaces, SSH, RDP, and cloud console access. Eliminate default and weak passwords.
• Patch Management: Regularly patch and update operating systems, applications, container runtimes, and orchestration platforms. This includes addressing vulnerabilities like those discussed in CISA's KEV Catalog.
• Network Segmentation: Isolate critical systems, container orchestration planes, and development environments from general user networks. Implement micro-segmentation within container clusters.
• Container Security Best Practices:
  • Scan container images for vulnerabilities before deployment.
  • Run containers with non-root users.
  • Limit resource access (CPU, memory) for containers.
  • Avoid mounting Docker sockets or host paths into containers unless absolutely necessary.
  • Regularly audit Kubernetes RBAC policies.
• Credential Management: Securely store credentials using secrets management solutions (e.g., HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, Kubernetes Secrets with encryption). Rotate credentials frequently.
• Endpoint Detection and Response (EDR): Deploy EDR solutions on all hosts and within containers to detect anomalous process behavior, file modifications, and network connections indicative of compromise.
• Log Monitoring and Alerting: Centralize and monitor logs from all systems, including hosts, containers, orchestration platforms, and cloud environments. Look for:
  • Failed login attempts (especially password spraying).
  • Unusual command execution (e.g., Mimikatz, `docker` commands from unexpected sources).
  • Creation of new users, scheduled tasks, or services.
  • Unauthorized API calls to cloud providers or Kubernetes.
  • Large data transfers from unusual internal hosts.
• Incident Response Plan: Develop and regularly test an incident response plan specifically tailored to respond to advanced persistent threats and worm outbreaks.