Ordinary internet users and businesses are not the only victims of malicious hackers. Sometimes, hackers themselves become victims of hacking.
In a recent unusual hacking incident, an unidentified group of hackers attacked systems already under the control of the notorious cybercrime organization TeamPCP. According to a new report by cybersecurity firm SentinelOne, after infiltrating the systems, these hackers immediately removed TeamPCP hackers and eliminated the tools they were using.
Subsequently, using the access privileges they had secured, the hackers deployed malicious code that replicated across multiple cloud infrastructures like a self-propagating worm, stole various types of account information, and ultimately transferred the stolen data back to their own systems.
TeamPCP is a cybercrime organization that has been in the media spotlight in recent weeks due to several large-scale hacking incidents. These attacks include a breach of the European Commission's cloud infrastructure and a massive cyberattack on Trivvy, a widely used vulnerability scanner tool. The attack on Trivvy affected all companies using the tool, including LiteLLM and the AI hiring startup Mercor.
Alex Delamotte, a senior researcher at SentinelOne who discovered a new hacking campaign and named it "PCPJack," stated in an interview with TechCrunch that it is unclear who is behind the attacks. Delamotte said he currently sees three possibilities: the hackers are disgruntled former TeamPCP members, members of a rival group, or third parties "directly mimicking TeamPCP's previous campaigns, particularly those targeting cloud infrastructure."
Delamotte added, "The services targeted by PCPJack are very similar to the campaigns TeamPCP conducted in December and January, prior to the group member changes presumed to have occurred in February and March."
Delamotte pointed out that the hackers are not only attacking systems compromised by TeamPCP but are also scanning the internet for exposed services, such as the virtual machine cloud platform Docker and MongoDB databases. However, SentinelOne stated that the group appears to be primarily targeting TeamPCP.
According to the report, hackers use their own tools to tally the number of targets that have successfully evacuated TeamPCP and transmit this information to the relevant infrastructure.
The goal of PCPJack hackers appears to be purely financial, and they focus on generating revenue by stealing account information. This involves reselling stolen account data, acting as so-called Initial Access Brokers (IABs) to sell access rights to hacked systems, or directly blackmailing victims. IABs play the role of providing access rights to paying customers after infiltrating a system.
However, hackers do not install cryptocurrency mining software on the hacked systems; according to Delamotte's analysis, this is likely because it takes more time to generate revenue.
Delamott also revealed that in some attacks, hackers use phishing sites targeting password manager account information or fake customer support websites.
0 Comments