Supply chain, Identity, Cloud Security

AWS environments targeted by TeamPCP

Cybersecurity hologram and lock circuit, cyberattack and protection

Threat operation TeamPCP, also known as PCPcat, DeadCatx3, and ShellForce, has tapped credentials siphoned from its sweeping supply chain attacks against Trivy, LiteLLM, and Telnyx to compromise AWS environments and facilitate additional data theft, SecurityWeek reports.

AWS discovery operations have been conducted by TeamPCP within 24 hours of validating pilfered AWS access keys, software-as-a-service tokens, and Azure app secrets using the TruffleHog tool, enabling service enumeration, cluster and task definition mapping, and AWS Secret Manager targeting, according to findings from Wiz researchers. TeamPCP then harnessed GitHub workflows to run code in targeted environments, as well as leveraged ECS Exec functionality for Bash command and Python script execution, to siphon not only GitHub repository source code and configuration files but also AWS S3 bucket, database, and Secrets Manager data.

"TeamPCP's post-compromise activities focused on compromising additional secrets and exfiltrating massive amounts of data from code repositories and cloud resources. The exfiltrated data and compromised secrets are potentially being shared with other groups to enable a range of operations," said Wiz, which suspects TeamPCP to have entered partnerships with the Lapsus$ hacking operation and the Vect ransomware group.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds