cybersecurity researchers have uncovered a new credential theft framework named PCPJack that actively targets exposed cloud infrastructure. The attackers behind this campaign are systematically removing any evidence of prior intrusions linked to a group known as TeamPCP.

The discovery was made by the threat intelligence team at Qualys. According to their findings, the framework specifically harvests credentials from a wide range of services, including cloud platforms, container environments, developer tools, productivity applications, and financial services.

The primary objective of the PCPJack framework is to steal sensitive login data. Once captured, this information is exfiltrated to attacker-controlled infrastructure. The operation is characterized by its worm-like propagation method, which allows it to spread rapidly across compromised networks.

Researchers noted that the malware exploits five distinct Common Vulnerabilities and Exposures (CVEs). While the specific CVEs have not been fully detailed in the initial report, the exploitation of multiple vulnerabilities indicates a sophisticated and targeted approach designed to maximize the attack surface.

Worm-Like Behavior and Evasion Tactics

The framework demonstrates a capability to move laterally within compromised environments. This worm-like behavior enables it to automatically infect additional systems and cloud services that it discovers during its operation.

A key aspect of the attack is the removal of artifacts associated with previous TeamPCP intrusions. This action suggests that the current campaign is not merely opportunistic but is actively eliminating competition or covering tracks from earlier, related activities. By erasing these traces, the attackers aim to maintain a clean, stealthy foothold within the victim’s cloud infrastructure.

Targeted Services and Data Exfiltration

The scope of targeted services is broad, encompassing major cloud providers, container orchestration platforms like Kubernetes, developer platforms such as GitHub, and productivity suites. Financial service credentials are also a primary target, highlighting a focus on monetary gain.

Data exfiltration is conducted through pre-established command and control channels. The attackers use this infrastructure to relay the stolen credentials to external servers, where the information can be used for further attacks, fraud, or sold on dark web markets.

PCPJack analyzes the compromised environment to identify high-value targets, such as accounts with administrative privileges or access to sensitive financial data. This automated targeting increases the efficiency of the credential harvesting process.

Implications for cloud security

This discovery highlights a growing trend of sophisticated credential theft specifically targeting cloud infrastructure. The ability to spread like a worm makes PCPJack particularly dangerous for organizations with interconnected cloud services and insufficient network segmentation.

Security experts recommend that organizations immediately audit their exposed cloud services and review access logs for signs of unauthorized lateral movement. Patching the five CVEs exploited by this framework is considered a critical first step in defense.

The emergence of PCPJack underscores the importance of using multi-factor authentication and strict identity and access management policies for cloud environments. Without these controls, stolen credentials can give attackers virtually unrestricted access.

Researchers are continuing to monitor the infrastructure used by the attackers to identify additional victims and understand the full scope of the campaign.

Source: Qualys Threat Research Unit