The threat group's shift to speedy attacks on AWS, Azure, and SaaS instances shows organizations need to respond quickly to compromised credentials.
TeamPCP is weaponizing the fruits of its extensive supply chain attacks, using stolen credentials to access cloud and software-as-a-service (SaaS) environments.
The threat group this month compromised several open source software projects, starting with Trivy, an Aqua Security-maintained security scanner, and KICS, a Checkmarx-developed tool for static code analysis. More recently, TeamPCP actors hit LiteLLM, an open source Python library, and the PyPi package of Telnyx, which developers use for voice AI agents.
The goal was the same across all four attack campaigns — use poisoned, open source software to deploy infostealer malware in organizations and harvest user credentials, API keys, SSH keys, and other secrets.
Now, TeamPCP has set its sights on bigger fish by using the stolen credentials to breach AWS and Azure environments as well as SaaS instances. The escalation has put a premium on fast responses to the supply chain attacks, as those organizations that failed to quickly rotate and revoke credentials could be sitting ducks for attackers.
The Wiz CIRT first detected malicious use of stolen credentials on March 19, in which threat actors used the Trufflehog open source tool to validate those credentials. The team observed Trufflehog validation activity for AWS access keys, Azure application secrets, and various SaaS tokens.
In the AWS compromises, the Wiz CIRT noticed the threat actors wasted little time in weaponizing the stolen credentials and secrets. "After the secrets were validated, and as quickly as 24 hours after the initial theft, the threat actor began performing AWS discovery operations," the researchers wrote.
TeamPCP conducted extensive enumeration in victims' AWS environments, collecting data on everything from identity and access management roles to S3 buckets, with a special focus on mapping Amazon Elastic Container Service (ECS) instances.
From there, the attackers exfiltrated data from S3 buckets and AWS Secrets Manager, among other resources, and abused the ECS Exec feature to run Bash commands and Python scripts on running containers. Wiz researchers said this gave the threat actors the ability to further explore the environment and exfiltrate additional sensitive data.
It's unclear how many cloud environments have been compromised by TeamPCP attacks. Wiz Research tells Dark Reading that it does not provide figures on impacted environments.
"What we can share is that our research shows this activity isn't limited to a single cloud," Wiz Research says. "We've observed compromises across Azure, GitHub, and other SaaS providers, reflecting how attackers reuse validated credentials across environments."
The escalating attacks show that TeamPCP prioritizes speed rather than subtly and stealth, according to Wiz. The campaigns also demonstrate the importance of a fast response to incidents involving compromised credentials.
"Our analysis shows TeamPCP moved quickly to validate and weaponize stolen credentials," Wiz Research says. "At the same time, organizations that acted fast to revoke or rotate access were able to limit the blast radius."
Organizations that may have been impacted by the supply chain attacks on Trivy, KICS, LiteLLM, and Telnyx should rotate all secrets and credentials. Since it's possible that TeamPCP threat actors may have gained access to cloud instances before the credentials, Wiz researchers recommend that organizations hunt for suspicious and anomalous activity in their environments.
Such activity includes unusual use of VPNs, a significant number "git.clone" events in a short period, and suspicious enumeration activity. Wiz published indicators of compromise (IOCs) for the recent TeamPCP attacks and urged security teams to monitor for those signs while making sure audit logging is enabled across the network.
TeamPCP is weaponizing the fruits of its extensive supply chain attacks, using stolen credentials to access cloud and software-as-a-service (SaaS) environments.
The threat group this month compromised several open source software projects, starting with Trivy, an Aqua Security-maintained security scanner, and KICS, a Checkmarx-developed tool for static code analysis. More recently, TeamPCP actors hit LiteLLM, an open source Python library, and the PyPi package of Telnyx, which developers use for voice AI agents.
The goal was the same across all four attack campaigns — use poisoned, open source software to deploy infostealer malware in organizations and harvest user credentials, API keys, SSH keys, and other secrets.
Now, TeamPCP has set its sights on bigger fish by using the stolen credentials to breach AWS and Azure environments as well as SaaS instances. The escalation has put a premium on fast responses to the supply chain attacks, as those organizations that failed to quickly rotate and revoke credentials could be sitting ducks for attackers.
TeamPCP Rolls On With Cloud Attacks
In a blog post yesterday, Wiz Research detailed how the company's customer incident response team (CIRT) investigated and responded to "multiple attacks" from TeamPCP following the supply chain compromises.The Wiz CIRT first detected malicious use of stolen credentials on March 19, in which threat actors used the Trufflehog open source tool to validate those credentials. The team observed Trufflehog validation activity for AWS access keys, Azure application secrets, and various SaaS tokens.
In the AWS compromises, the Wiz CIRT noticed the threat actors wasted little time in weaponizing the stolen credentials and secrets. "After the secrets were validated, and as quickly as 24 hours after the initial theft, the threat actor began performing AWS discovery operations," the researchers wrote.
TeamPCP conducted extensive enumeration in victims' AWS environments, collecting data on everything from identity and access management roles to S3 buckets, with a special focus on mapping Amazon Elastic Container Service (ECS) instances.
From there, the attackers exfiltrated data from S3 buckets and AWS Secrets Manager, among other resources, and abused the ECS Exec feature to run Bash commands and Python scripts on running containers. Wiz researchers said this gave the threat actors the ability to further explore the environment and exfiltrate additional sensitive data.
It's unclear how many cloud environments have been compromised by TeamPCP attacks. Wiz Research tells Dark Reading that it does not provide figures on impacted environments.
"What we can share is that our research shows this activity isn't limited to a single cloud," Wiz Research says. "We've observed compromises across Azure, GitHub, and other SaaS providers, reflecting how attackers reuse validated credentials across environments."
The Need For Speed
In addition to the compromised AWS environments, the Wiz CIRT also tracked malicious activity in GitHub, where TeamPCP actors abused the platform's workflows to execute code in targeted repositories. The threat actors also abused GitHub Personal Access Tokens to create cloned repositories at scale, the researchers said.The escalating attacks show that TeamPCP prioritizes speed rather than subtly and stealth, according to Wiz. The campaigns also demonstrate the importance of a fast response to incidents involving compromised credentials.
"Our analysis shows TeamPCP moved quickly to validate and weaponize stolen credentials," Wiz Research says. "At the same time, organizations that acted fast to revoke or rotate access were able to limit the blast radius."
Organizations that may have been impacted by the supply chain attacks on Trivy, KICS, LiteLLM, and Telnyx should rotate all secrets and credentials. Since it's possible that TeamPCP threat actors may have gained access to cloud instances before the credentials, Wiz researchers recommend that organizations hunt for suspicious and anomalous activity in their environments.
Such activity includes unusual use of VPNs, a significant number "git.clone" events in a short period, and suspicious enumeration activity. Wiz published indicators of compromise (IOCs) for the recent TeamPCP attacks and urged security teams to monitor for those signs while making sure audit logging is enabled across the network.