Hackers hack victims who are hacked by other hackers

Regular Internet users and corporations are not the only victims of malicious hackers. Sometimes hackers hack each other.

That’s what happened in an unusual hacking campaign, where an unknown group of hackers targeted systems already compromised by a prolific cybercrime group called TeamPCP. Once the hackers got into those systems, they immediately kicked out the TeamPCP hackers and removed their tools, according to a new report by cybersecurity firm SentinelOne.

From there, the hackers use their access to deploy code designed to replicate across different cloud infrastructures like a self-spreading worm, steal a variety of credentials, and ultimately send the stolen data back to their infrastructure.

TeamPCP is a cybercriminal group that has made headlines over the past few weeks due to a series of high-profile hacks related to this group. Those hacks included a breach of the European Commission’s cloud infrastructure and a wide-scale cyber attack Trivi, a widely used vulnerability scanner tool That affected any company that relied on it, including LightLLM and AI recruiting startup Mercor, among others.

Alex Delamotte, senior researcher at SentinelOne, who discovered the new hacking campaign and dubbed it “PCPjack”, told TechCrunch that it’s unclear who is behind it. At this point, Delmotte said he has three theories: that the hackers are either disgruntled ex-TeamPCP members, are part of a rival group, or are a third party “who chose to model their attack tools directly on TeamPCP’s earlier campaigns”, many of which targeted cloud infrastructure.

“Prior to the alleged change in group membership in February–March, PCPJack targeted services that were very similar to the December–January TeamPCP campaigns,” Delmotte said.

Delmotte also noted that hackers not only target systems compromised by TeamPCP, but they also scan the Internet for exposed services like the virtual machine cloud platform Docker, databases running MongoDB, and others. But SentinelOne said that TeamPCP is largely the group’s target.

According to the report, the hackers’ own tools keep track of the number of targets hacked, where they successfully evicted TeamPCP by sending this information back to its infrastructure.

The goals of the PCPJack hackers appear to be purely financial, as they focus on monetisation by stealing credentials. Hackers do this by reselling them, selling access to hacked systems to so-called early access brokers – hackers who break into systems and then let customers make payments on the hacked machines – or by directly extorting victims.

However, hackers do not attempt to install software to mine crypto on hacked systems, possibly because that strategy requires more time to reap rewards, according to Delmotte.

According to Delamotte, as part of some of their attacks, hackers are using domains that suggest they are phishing for password manager credentials and using fake help desk websites.