Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label TeamPCP. Show all posts
TruffleHog
Amazon Web Services AWS Cyber Attacks TeamPCP TruffleHog

TruffleHog Targets European Commission, Breach Leaked Data of 30 EU Entities


The European Union Cybersecurity Service (CERT-EU) has linked the European Commission cloud breach to the TeamPCP gang. The breach leaked the information of 29 Union organizations.

The breach

The commission disclosed the attack on March 27, when Bleeping Computer confirmed the breach of the European Union’s primary executive body.

Recently, the European Commission informed CERT-EU about the breach, informing them that their Cybersecurity Operations was not warned about an API exploit, a possible account hack, or any malicious network traffic until March 24.

TeamPCP's attack tactic

In March, TeamPCP exploited a compromised AWS API key to manage rights over different Commission AWS accounts (hacked in the Trivy supply-chain breach).

After that, the gang deployed TruffleHog to look for more secrets, then added a new access key to an existing user to escape detection before doing more spying and data theft. 

In the past, TeamPCP has been known for supply-chain attacks targeting developer code forums like NPM, Docker, PyPi, and GitHub. The gang also attacked the LiteLLM PyPI package in a campaign that affected tens of thousands of devices via its “TeamPCP Cloud Stealer” data-stealing malware. 

ShinyHunters' role

Later, data extortion gang ShinyHunters posted the stolen data on their dark web leak site as a 90 GB archive of documents (around 340GB uncompressed), which includes email addresses, contacts, and email information. 

According to the CERT-EU analysis, hackers have stolen tens of thousands of documents; the leak affects around 42 internal European Commission clients and around 20 other Union firms. 

"The threat actor used the compromised AWS secret to exfiltrate data from the affected cloud environment. The exfiltrated data relates to websites hosted for up to 71 clients of the Europa web hosting service: 42 internal clients of the European Commission, and at least 29 other Union entities,” CERT-EU said. Regarding the dataset, CERT-EU said it also contained “at least 51,992 files related to outbound email communications, totalling 2.22 GB. The majority of these are automated notifications with little to no content. However, 'bounce-back' notifications, which are responses to incoming messages from users, may contain the original user-submitted content, posing a risk of personal data exposure."

The impact

No websites were taken offline or altered as a result of this attack, and no lateral movement to other Commission AWS accounts has been found, according to CERT-EU.

Although it would probably take "a considerable amount of time" to analyze the exfiltrated databases and information, the Commission has informed the appropriate data protection authorities and is in direct contact with the impacted organizations.

After learning that a mobile device management platform used to oversee employees' devices had been compromised, the European Commission revealed another data breach in February.

Read more »
Subscribe to: Comments (Atom)