Hackers hack victims who have been hacked by other hackers

Ordinary Internet users and businesses are not the only victims of malicious hackers. sometimes, Hackers themselves are hacked.

That’s what happened in an unusual hacking campaign, in which an unknown group of hackers targeted systems that had already been compromised by a prolific cybercrime group known as TeamPCP. Once the hackers broke into those systems, they immediately kicked out the TeamPCP hackers and removed their tools, According to a new report By cybersecurity company SentinelOne.

From there, hackers use their access to deploy code designed to replicate across different cloud infrastructure like a self-propagating worm, steal different types of credentials, and finally send the stolen data back to their own infrastructure.

TeamPCP is a cybercriminal group that has been making headlines in the past few weeks, thanks to a series of high-profile hacks attributed to the group. Superhero ones included Violation of the European Commission’s cloud infrastructureand a large-scale cyber attack against The widely used vulnerability scanning tool TrivvyWhich affected any company that relied on it, including liteLLM and Artificial Intelligence for Recruiting Startups Mercoramong other things.

Alex Delamotte, senior researcher at SentinelOne, who discovered the new hacking campaign and dubbed it “PCPJack,” told TechCrunch that it is not clear who is behind it. At this point, Delamotte said her three theories are that the hackers are either disgruntled former members of TeamPCP, part of a rival group, or a third party who “chose to model their attack tools directly on previous TeamPCP campaigns,” many of which targeted cloud infrastructure.

“The services targeted by PCPJack closely resemble the TeamPCP campaigns from December to January, prior to the alleged change in group membership that occurred in February and March,” Delamotte said.

Delamotte also noted that hackers are not only targeting systems compromised by TeamPCP, but are also scanning the Internet for exposed services such as the Docker virtual machine cloud platform, databases running MongoDB, and others. But SentinelOne said the group appeared to be largely focused on targeting TeamPCP.

According to the report, private hacker tools keep a tally of the number of compromised targets where they successfully evict TeamPCP by sending this information back to its infrastructure.

The PCPJack hackers’ goals appear to be purely financial, as they steal credentials with an eye toward monetizing them. Hackers do this by reselling them, selling access to compromised systems to so-called raw access brokers – hackers who break into systems and then allow customers to pay to compromised devices, or by blackmailing victims directly.

However, hackers do not attempt to install cryptocurrency mining software on compromised systems, likely because this strategy requires more time to reap rewards, according to Delamotte.

As part of some of their attacks, hackers use domains that indicate they are phishing for password manager credentials and use fake help desk sites, according to Delamotte.