Increased Threats: The Dangerous Convergence of Cyber Attackers and Extortion Gangs
Recent findings from researchers have highlighted an alarming trend in the world of cybersecurity: a "dangerous convergence" between supply chain attackers and extortion gangs, particularly manifesting in the activities of a group identified as TeamPCP. According to a report released on March 30 by researchers at Wiz, which is now part of Google Cloud, TeamPCP is strategically positioning itself to exploit stolen credentials gleaned from hacking operations.
The researchers noted that TeamPCP has been actively seeking to monetize critical secrets acquired during their attacks, including cloud credentials, SSH keys, Kubernetes configuration files, and other sensitive materials essential to coding processes. Evidence gathered indicates that the group has been involved in validating, encrypting, and exfiltrating these stolen secrets to domains controlled by the attackers, raising serious concerns about the increased scope and ambition of these cybercriminals.
The report emphasized the speed at which these actions are occurring, leading researchers to speculate that the same threat actors may be behind both supply chain operations and extortion efforts. However, they also mentioned the possibility that these stolen secrets could be circulating among different cybercriminal factions for further exploitation. The researchers conveyed their concerns in a statement, highlighting the potential for systemic attacks requiring immediate action from security teams.
The implications of these findings were echoed in a communication from Wiz to Infosecurity, which confirmed that TeamPCP has been collaborating with the notorious extortion group Lapsus$. This group specializes in high-profile breaches facilitated by social engineering techniques and credential theft. Although no formal ties between Lapsus$ and other suspected groups, such as Scattered Spider and ShinyHunters, have been conclusively established, the similarities in tactics raise further alarm.
Ben Read, a lead researcher at Wiz, articulated the severity of the situation, stating that there is a perilous blending of approaches between supply chain attackers and prominent extortion groups like Lapsus$. He described the scenario as creating a "snowball effect" on the cybersecurity landscape, exacerbated by attacks targeting widely-used tools such as liteLLM that are integrated into public cloud infrastructures. This trend is not a mere isolated event; it signifies a broader campaign that necessitates action from cybersecurity teams and is likely to expand in the future.
Adding another layer to this unfolding narrative, Socket, a firm that was among the first to report on the TeamPCP software supply chain attacks, has disseminated information about Vect, a ransomware group believed to be forging alliances with TeamPCP. The Vect group announced their partnership via posts on BreachForums, indicating their intent to carry out ransomware attacks targeted at organizations affected by TeamPCP’s operations. Their communication boasted about plans to deploy ransomware across all companies damaged by these attacks, indicating a willingness to escalate their operations significantly. The collective ambition of TeamPCP and Vect suggests a coordinated effort to inflict maximum damage on their targets.
Vect is characterized as an emerging ransomware-as-a-service (RaaS) group, with a Russian-speaking base. They operate a structured affiliate model, wherein core developers create the ransomware while affiliates execute the attacks, allowing affiliates to retain between 80% and 88% of the profits garnered through malicious activities.
TeamPCP’s notoriety isn’t limited to credential exploitation; they are also recognized for their attempts to compromise the Python Package Index (PyPI), where developers share and download software packages for the Python programming language. By employing tactics such as typosquatting, they have successfully tricked unsuspecting developers into downloading malicious software packages.
One of their most concerning campaigns involved the targeting of Trivy, an open-source vulnerability scanner owned by Aqua Security, where TeamPCP managed to inject credential-stealing malware into official software releases and GitHub Actions. Subsequent attacks also saw the group infiltrate Checkmarx’s KICS scanner, applying similar tactics through GitHub Actions and OpenVSX extensions. More recently, TeamPCP has been linked to attacks on the LiteLLM AI Gateway, a popular Python library utilized for AI model integration, showcasing their broadening scope of malicious intent.
Additionally, another campaign by TeamPCP led to the compromise of the Telnyx Python package on PyPI, resulting once again in the deployment of credential-stealing malware. Such instances underline an escalating trend where cybercriminals increasingly collaborate and share resources to maximize their impact on an array of platforms and technologies.
The convergence of supply chain attackers and extortion gangs marks a profound shift in the cybersecurity landscape, necessitating heightened awareness and proactive measures from organizations. As these groups continue to merge their strategies, the onus will be on security teams to adapt and strengthen their defenses to counter the growing threat posed by such collaborations, ensuring that the cybersecurity framework remains resilient in the face of evolving dangers.