In a surprising turn of events, a new group of hackers is exploiting vulnerabilities in systems already compromised by the notorious cybercrime group TeamPCP. This unusual campaign involves evicting TeamPCP members and erasing their hacking tools, as reported by cybersecurity firm SentinelOne.
Once inside the breached systems, these hackers deploy self-replicating code across cloud infrastructures, akin to a worm. Their primary objective is to steal credentials and transmit the stolen data back to their own servers.
Background on TeamPCP
TeamPCP has gained notoriety recently due to a series of high-profile breaches, including attacks on the European Commission’s cloud infrastructure and the widely used vulnerability scanner tool Trivvy. These incidents have impacted numerous companies, including LiteLLM and AI recruiting startup Mercor.
Insights from SentinelOne
Alex Delamotte, a senior researcher at SentinelOne, identified this new hacking initiative, which she has named “PCPJack.” Delamotte speculates on the potential identities of the attackers, suggesting they could be former TeamPCP members, rivals, or third parties mimicking TeamPCP’s tactics.
Targets and Techniques
The PCPJack hackers not only focus on systems compromised by TeamPCP but also scan for exposed services, such as:
- Docker virtual machine platforms
- MongoDB databases
- Other vulnerable cloud services
Despite their broader scanning efforts, the group appears to prioritize targeting TeamPCP's previous victims.
Motives Behind the Attacks
The motivations of the PCPJack hackers seem to be strictly financial. They aim to monetize stolen credentials by:
- Reselling them
- Offering access to compromised systems as initial access brokers
- Directly extorting victims
Interestingly, they do not attempt to install cryptocurrency mining software on the hacked systems, likely due to the time-intensive nature of such operations.
Phishing Tactics
As part of their strategy, the hackers utilize domains that appear to be phishing attempts for password manager credentials, along with fake help desk websites to deceive victims.
Conclusion
This emerging threat highlights the evolving landscape of cybercrime, where even established hacker groups can become targets. Organizations should remain vigilant and enhance their cybersecurity measures to protect against such multifaceted attacks.
