AWS Environments Vulnerable to TeamPCP Threats
AWS Environments Targeted by TeamPCP: A Complex Supply Chain Attack
In a sophisticated attack campaign, the threat group TeamPCP, also known as PCPcat, DeadCatx3, and ShellForce, has exploited credentials obtained from its extensive supply chain attacks against Trivy, LiteLLM, and Telnyx to breach AWS environments and extract sensitive data.
According to researchers at Wiz, TeamPCP validated pilfered AWS access keys, software-as-a-service tokens, and Azure application secrets using the TruffleHog tool within 24 hours of initial compromise, allowing them to conduct thorough reconnaissance and target key AWS services, including Secret Manager.
Attack Methods
- Leveraging GitHub workflows to execute code in targeted environments
- Utilizing ECS Exec functionality for Bash command and Python script execution
- Exfiltrating source code and configuration files from GitHub repositories
- Extracting sensitive data stored in AWS S3 buckets, databases, and Secrets Manager
Researchers suspect that TeamPCP may have formed partnerships with other threat groups, such as Lapsus$ and Vect ransomware, to further expand their capabilities.
Implications
This attack highlights the growing trend of sophisticated supply chain attacks aimed at compromising cloud environments.
As organizations increasingly rely on cloud-based services, they must prioritize robust security measures to prevent similar incidents in the future.