#teampcp

TeamPCP exploited a stolen Trivy API key to access a European Commission AWS environment, exfiltrating 91.7 GB of sensitive files affecting 42 Commission clients and 29 other EU entities.

Source: BleepingComputer | CERT-EU

The Trivy breach. CanisterWorm’s release into npm repositories. The LiteLLM compromise. These popped up several times on my news feed in the latter half of March. All are attributed to TeamPCP, utilizing similar attack vectors and exfiltration techniques to harvest cloud credentials, SSH keys, Kubernetes configuration files, and CI/CD secrets. The Trivy breach weaponized the company’s vulnerability scanner, creating backdoor access to numerous packages and repositories on GitHub. In CanisterWorm’s case, persistence and spread is achieved by using ICP canisters as a proxy, making remediation difficult and the related supply chains vulnerable. The compromise of LiteLLM created lateral movement via AI toolkits to extend the group’s reach. This is my fourth report on the group since March 24th.

Their latest victim is Cisco. Using stolen credentials from the Trivy attack the internal development environment and source code have been breached, according to Bleeping Computer. This sort of breach is likely the ultimate reason behind the attacks on supply chain infrastructure. Worming its way – no pun intended – through the ranks to reach a core, integral target. And they haven’t been subtle about it.

While there is little documentation about the group, other than their boldness – attacks are often named with obvious malicious commands, or exhibit trolling behavior – and their effectiveness at disrupting supply chains, they aren’t a complete unknown. Flare published an alert regarding the group in February, noting some of its other aliases, namely PCPcat, ShellForce, and DeadCatx3, as well as previous actions. The author, Assaf Morag, states that the group is not a single-purpose malware gang, but a cloud-native cybercrime platform, and we certainly have the evidence of that now.

Hacking the lower rungs of the supply chain ladder was always going to lead here. It comes back to trust. Or more precisely, the lack of it. Zero trust policies and MFA at every stage of access is the best way to prevent breaches. Period. Trivy even released an advisory that their attempts to contain the first incident were incomplete. They knew some session tokens might have been refreshed in TeamPCP’s hands, and everyone downstream was told to consider their environments that used Trivy to be fully compromised. The advisory I’ve linked is actually the second one, since the first was tampered with by the threat actor (comments pointed out that the timestamp didn’t match the incident report, which itself states remediation had taken place and all was well).

Now, I know I’m on the outside and it’s easy for me to look in and see the pattern as it emerges. But there is definitely a part of me wondering why Cisco hadn’t already implemented a widespread credential rotation. They were warned that containment wasn’t complete. And stealing credentials isn’t for the fun of it; the group was going to use them. At the same time, this breach once again highlights the inherent vulnerability of cloud environments. All it takes is one hole to slip through to lead to widespread data leakage, and in this case there are many. TeamPCP has learned that they can breach a large entity and get away with it. Which means they’re going to do it again. Enterprises need to take this seriously and be proactive about it instead of cleaning up the mess after the fact. I wouldn’t mind having something else to talk about.

Attackers stole source code from over 300 Cisco repositories using credentials from the Trivy compromise, impacting internal projects and customer code, including AI and government-related software.

Source: BleepingComputer

TeamPCP compromised the Telnyx Python SDK on PyPI, delivering credential-stealing malware via WAV steganography on Unix and persistent binaries on Windows.

Source: Endor Labs | Aikido | Socket

TeamPCP is back on my newsfeed. Just a few days ago, I reported on a wiper campaign attributed to the threat actor, where they exploited Internet Computer Protocol (ICP) canisters via GitHub to stage a multi-level attack against Iranian timezone targets using CanisterWorm, after compromising the vulnerability scanner Trivy to gain access to SSH keys, cloud credentials, Kubernetes tokens and cryptocurrency wallets. Today, I have not one but two reports of TeamPCP activity. The actor – or group, few specifics are known about them – uses supply chain disruption as a tactic, leveraging cloud-based services for entry before wiping local data or destroying Kubernetes clusters (which are a group of computing nodes, or worker machines, that run containerized applications).

TrendMicro has published an article on the latest wave of TeamPCP attacks, this time targeting various developer tools including Python Package Index (PyPI), npm, Docker Hub, GitHub Actions, and OpenVSX in a single coordinated operation, with widespread results. Among the tools caught in the attack, and subsequently the starting point for TrendMicro’s analysis, was LiteLLM, a Python based package that serves as a unified gateway to multiple LLM providers and has millions of downloads a day. Versions 1.82.7 and 1.82.8 were found to have malicious code in them, deploying a credential harvester, a Kubernetes lateral movement toolkit capable of compromising entire clusters, and a persistent backdoor providing ongoing remote code execution.

Simultaneously, Socket has published an article about how TeamPCP is coordinating with Vect, a ransom-as-a-service operation, to further expand their campaign surface. The pairing was announced on BreachForums, a darkweb marketplace for buying and selling stolen data, credentials and hacking tools. Evidence suggests that this partnership began shortly after the initial Trivy compromise, hinting that ransomware attacks were the ultimate goal all along. My earlier report noted that, at that point, we didn’t know what TeamPCP hoped to gain by their activity.

These attacks are occurring at a rapid fire rate. The Trivy compromise was less than ten days ago. Instead of trying anything new in terms of toolkits or agents, TeamPCP is utilizing established exploitation vectors such as vulnerabilities, misconfigurations and recycled tooling. The only novelty here is that they are being used in concert and in such a way as to make the campaigns self-sustaining through cloud environments.

I’ve talked before about how threat actors are starting to combine tactics to make their campaigns more effective. With so many interconnected and synced applications being used for daily business, all it takes is one weak link in a supply chain to gain access to everything else. Especially with the preponderance of shared credentials across open source platforms. If you’ve ever wondered why I emphasize keeping software up to date, point out weakness in password security, or the inherent danger in third party access without zero trust authentication in place, this is the reason. Experts call this type of attack a cascade. One vulnerability starts a landslide of further exploitation until entire networks are compromised or even rendered inoperable. And threat actors like TeamPCP are ready and waiting to take advantage of it. I doubt we’ve seen the end of them.

The TeamPCP group compromised the LiteLLM PyPI package, harvesting cloud credentials, SSH keys, and Kubernetes secrets via a persistent backdoor installed in developer pipelines.

Source: Trend Micro

TeamPCP has collaborated with the Vect ransomware group to turn compromised open source CI/CD pipelines and security tools into ransomware deployment vectors across enterprise environments.

Source: Socket.dev