Iran Hits AWS/Azure as LiteLLM Backdoor Steals Cloud Keys

◆ DEEP DIVES

1. 01

   Iran's Kinetic-Cyber Convergence: Your Cloud Data Centers Are Now Military Targets

   <h3>A New Category of Cloud Risk</h3><p>For the first time in the cloud era, a <strong>nation-state military has physically struck commercial cloud infrastructure</strong> and publicly promised more. Iran's IRGC has already hit AWS and Microsoft Azure facilities in the Middle East and announced imminent expansion to 18 named US tech companies — including Google, Oracle, Apple, Meta, and Nvidia — with strikes potentially <strong>beginning April 2</strong>.</p><p>The IRGC's statement is unambiguous: <em>"For every assassination, an American company will be destroyed."</em> This isn't a cyber threat advisory. This is a <strong>declared military doctrine targeting civilian technology infrastructure</strong>.</p><blockquote>Physical destruction of cloud regions has longer recovery timelines than ransomware — and with a 30% transformer supply deficit and 80% import dependency, damaged infrastructure may take months to rebuild.</blockquote><hr><h3>Cyber Operations Supporting Kinetic Targeting</h3><p>This isn't just bombs. Check Point researchers identified <strong>Gray Sandstorm</strong> conducting multi-wave M365 password spray campaigns across March 2026, targeting Israeli and UAE municipalities — <em>the same municipalities later hit by Iranian drone and missile strikes</em>. The assessment: these operations support <strong>Bombing Damage Assessment (BDA)</strong>. Targeted sectors include satellite, aviation, energy, and maritime.</p><p>The integration of cyber reconnaissance with kinetic strike planning represents a <strong>doctrinal evolution</strong> that most enterprise threat models don't account for. Your M365 logs may contain pre-strike indicators.</p><h3>Immediate BCP Implications</h3><table><thead><tr><th>Provider</th><th>MENA Regions</th><th>Status</th><th>Risk Level</th></tr></thead><tbody><tr><td><strong>AWS</strong></td><td>Bahrain (me-south-1)</td><td>Struck</td><td>Critical</td></tr><tr><td><strong>Azure</strong></td><td>UAE North/Central, Qatar</td><td>Struck</td><td>Critical</td></tr><tr><td><strong>Google Cloud</strong></td><td>Doha, Dammam, Tel Aviv</td><td>Named</td><td>High</td></tr><tr><td><strong>Oracle Cloud</strong></td><td>Jeddah, Abu Dhabi</td><td>Named</td><td>High</td></tr></tbody></table><p>Most enterprise BCP plans model regional outages as natural disaster scenarios. The distinction matters: <strong>targeted strikes can be repeated, escalated, and directed at specific providers</strong>. A 30-day regional outage from physical attack is a fundamentally different scenario than a multi-hour cloud service degradation. Validate your RTO/RPO assumptions against this reality.</p><h3>The Predictive Advantage</h3><p>The IRGC's retaliatory doctrine gives defenders something rare: a <strong>predictive trigger</strong>. US-Iran escalation events (assassinations, sanctions, military strikes) can be monitored as leading indicators for infrastructure targeting. Build an OSINT-driven tripwire that auto-elevates your SOC posture when geopolitical triggers fire.</p>

   Action items

   • Enumerate all workloads, data stores, and services in AWS me-south-1, Azure UAE/Qatar, and any MENA cloud region. Test failover to unaffected regions today.
   • Run targeted threat hunt for Gray Sandstorm TTPs: password spray patterns against M365, anomalous sign-ins from Middle Eastern IP ranges, and T1110.003 indicators across Entra ID logs for the past 30 days.
   • Brief executive leadership and board risk committee on kinetic cloud threats as a new BCP category requiring investment in multi-region and multi-cloud redundancy.
   • Build an OSINT-driven geopolitical tripwire: monitor US-Iran escalation events and pre-define automated SOC posture changes (elevated monitoring, DR readiness checks, vendor status calls).

   Sources:Axios npm compromise by DPRK, Fortinet EMS 0-day in the wild, and Iran fusing cyber ops with missile strikes · Iran struck AWS data centers and named your vendors next — 18 US tech firms now on IRGC's target list · Iran is striking your cloud regions and Anthropic just leaked 500K lines of code · Encryption ruled a 'design defect' in court — plus Iran names 18 US tech targets · Iran kinetic ops mean your SOC should be hunting for APT33/APT35 right now

2. 02

   LiteLLM Backdoor: A 3-Hour Window That May Have Exfiltrated Every Secret in Your AI Stack

   <h3>The AI Toolchain's First Tier-1 Supply Chain Attack</h3><p>TeamPCP compromised <strong>LiteLLM</strong>, the most popular open-source LLM proxy with <strong>97 million monthly PyPI installs</strong>. LiteLLM sits in the data path between applications and model APIs — meaning the compromised version had access to everything flowing through it. The backdoor was live for <strong>three hours before quarantine</strong>, but the three-stage attack architecture shows this was not opportunistic.</p><h4>The Attack Chain</h4><ol><li><strong>Stage 1 — Credential Harvesting:</strong> Targeted SSH keys, AWS/GCP/Azure credentials, Kubernetes configs, crypto wallets, and LLM API keys — essentially <strong>every secret that matters in a modern cloud-native AI stack</strong></li><li><strong>Stage 2 — Kubernetes Lateral Movement:</strong> Used harvested K8s configs to move laterally across cluster infrastructure</li><li><strong>Stage 3 — Systemd Persistence:</strong> Installed a persistent backdoor that survives reboots on Linux systems</li></ol><p>Mercor has confirmed a resulting breach: <strong>939GB of source code and 4TB total data exfiltrated</strong>, reportedly via TailScale VPN compromise. Lapsus$ is now claiming secondary access to the stolen data, adding a <strong>data brokering dimension</strong> — expect public dumps or extortion attempts in coming weeks.</p><blockquote>LiteLLM processed your prompts, API keys, and model responses. If it was in your stack during the compromise window, treat every credential it touched as burned.</blockquote><hr><h3>The Delve Connection</h3><p>LiteLLM subsequently dropped <strong>Delve</strong> for <strong>Vanta</strong> as its compliance certification provider. This is significant because Delve — a YC-backed compliance startup — is separately alleged to have generated <strong>494 fraudulent SOC 2 audit reports</strong> with fabricated evidence and pre-written conclusions. If any vendor in your supply chain holds a Delve-issued SOC 2 report, that attestation may be worthless. The LiteLLM-Delve connection suggests their prior compliance posture was inadequate to detect or prevent the compromise.</p><h3>Why This Is Different From Axios</h3><p>While the Axios npm compromise (covered yesterday) affected the broadest possible JavaScript surface, LiteLLM's compromise is <strong>more dangerous per affected system</strong>. LiteLLM is a credential proxy — it doesn't just run on your machine, it <strong>routes your most sensitive API keys and business data</strong> to external providers. A compromised Axios deployment gives attackers a foothold. A compromised LiteLLM deployment gives attackers your <strong>entire AI infrastructure credential set</strong>.</p><table><thead><tr><th>Dimension</th><th>Axios</th><th>LiteLLM</th></tr></thead><tbody><tr><td><strong>Reach</strong></td><td>100M weekly npm downloads</td><td>97M monthly PyPI installs</td></tr><tr><td><strong>Data access</strong></td><td>Host-level (files, env vars)</td><td>All LLM API keys, prompts, responses</td></tr><tr><td><strong>Persistence</strong></td><td>RAT (self-destructing)</td><td>Systemd service (survives reboot)</td></tr><tr><td><strong>Attribution</strong></td><td>DPRK / UNC1069</td><td>TeamPCP / Lapsus$ secondary</td></tr><tr><td><strong>Compliance link</strong></td><td>None</td><td>Delve SOC 2 fraud connection</td></tr></tbody></table>

   Action items

   • Search for LiteLLM across all package manifests (requirements.txt, Docker images, Helm charts, CI/CD pipelines) immediately. If found, determine installed version and cross-reference against the compromise window.
   • Rotate ALL API keys that ever transited a LiteLLM instance: OpenAI, Anthropic, Google, AWS, GCP, Azure. Revoke old keys — don't just add new ones. Audit K8s cluster access logs for unauthorized lateral movement.
   • Audit systemd unit files on all Linux systems that had LiteLLM installed. Hunt for unauthorized services designed to survive reboots.
   • Identify all vendors in your supply chain holding Delve-issued SOC 2 reports. Flag as potentially fraudulent. Request re-audit from a recognized firm.
   • Send targeted vendor risk questionnaire to all AI-adjacent vendors asking specifically about LiteLLM usage, LLM proxy architecture, and supply chain security controls for open-source AI dependencies.

   Sources:Your npm and PyPI supply chains were weaponized this month · LiteLLM supply chain compromise by TeamPCP is hitting thousands of orgs · LiteLLM supply chain compromise, quantum threat timeline shortened · Your npm build pipeline is leaking: Anthropic's 512K-line source dump + LiteLLM supply chain compromise · Axios npm is backdoored by North Korea, EvilTokens is harvesting your M365 tokens at scale

3. 03

   Three Concurrent Active Exploits: Fortinet EMS, Magento PolyShell, and TrueConf Zero-Day

   <h3>The Patch-to-Exploitation Window Is Collapsing</h3><p>Three separate critical vulnerabilities are under active exploitation simultaneously, each hitting a different part of enterprise infrastructure. Together they illustrate a trend that should reshape your patching SLAs: the gap between patch availability and weaponized exploitation is now measured in <strong>days to weeks, not months</strong>.</p><hr><h3>Fortinet EMS: CVE-2026-21643 — Patched February, Exploited Now</h3><p>A <strong>SQL injection vulnerability</strong> in Fortinet's Endpoint Management Server allows unauthenticated server takeover via malcrafted HTTP requests. The patch has been available since <strong>February 2026</strong>, but active exploitation didn't begin until late March — a longer fuse, but the impact is severe. Fortinet EMS manages your endpoint fleet; compromising it gives attackers control over your device management infrastructure.</p><p>If any EMS server is still unpatched, restrict web interface access to management VLANs <strong>immediately</strong> while scheduling emergency maintenance.</p><h3>Magento PolyShell: Mass Exploitation at Scale</h3><p>The PolyShell vulnerability enables <strong>unauthenticated web shell upload</strong> on Magento storefronts. Mass exploitation is underway at <strong>hundreds of stores per hour</strong>. The vulnerability went from disclosure to mass exploitation in under two weeks. Any Magento instance unpatched since mid-March should be treated as compromised — engage IR and check for card skimmer injection.</p><h3>TrueConf CVE-2026-3502: Zero-Day With No Patch</h3><p>A <strong>Chinese-nexus APT</strong> is exploiting a zero-day in TrueConf Server to push malicious updates to all connected clients from compromised on-prem servers. This is the highest-risk of the three because <strong>no patch exists</strong>. TrueConf's server-to-client trust model means a single compromised server can distribute malware across the entire deployment.</p><table><thead><tr><th>Vulnerability</th><th>Product</th><th>Exploitation</th><th>Patch Status</th><th>Impact</th></tr></thead><tbody><tr><td><strong>CVE-2026-21643</strong></td><td>Fortinet EMS</td><td>Active (late March)</td><td>Available (Feb 2026)</td><td>Unauthenticated server takeover</td></tr><tr><td><strong>PolyShell</strong></td><td>Magento</td><td>Mass (100s/hour)</td><td>Available (mid-March)</td><td>Unauthenticated web shell</td></tr><tr><td><strong>CVE-2026-3502</strong></td><td>TrueConf Server</td><td>Active (APT)</td><td>None (zero-day)</td><td>Malicious update push to all clients</td></tr></tbody></table><hr><h3>AI-Accelerated Exploitation Compresses Your Window Further</h3><p>Adding urgency: researchers gave Claude a FreeBSD security advisory for <strong>CVE-2026-4747</strong>, and it produced two working remote kernel exploits in approximately <strong>4 hours</strong> — both succeeding on first attempt. The exploit chain included multi-packet shellcode delivery, ROP construction, and clean kernel-to-userland process spawning yielding a root reverse shell. This capability demonstration means your patching SLA for remotely exploitable CVEs should be measured in <strong>hours, not weeks</strong>.</p><blockquote>When an AI can weaponize a CVE in 4 hours, a 15-day patching SLA for critical remote vulnerabilities is a 14-day, 20-hour window where you're defenseless.</blockquote>

   Action items

   • Confirm all Fortinet EMS servers are running post-February patch. If any are unpatched, restrict web interface to management VLANs and schedule emergency patching within 24 hours.
   • Patch all Magento instances and scan for web shells. Any instance unpatched since mid-March: initiate IR and check for payment card skimmer injection.
   • If running TrueConf Server, isolate from network and disable auto-update functionality until a patch is released. Monitor vendor advisories.
   • Reassess patching SLA: propose 24-48 hour window for critical remotely exploitable CVEs, with automated deployment for network-exposed services.

   Sources:Axios npm compromise by DPRK, Fortinet EMS 0-day in the wild, and Iran fusing cyber ops with missile strikes · Axios npm is backdoored by North Korea, EvilTokens is harvesting your M365 tokens at scale