Following the identification of the Axios npm supply chain attack as being perpetrated by North Korean hackers, researchers have issued warnings regarding the potential circulation of hundreds of thousands of stolen secrets. This alarming trend is compounded by other attacks linked to vulnerabilities in Trivy, KICS, LiteLLM, and Telnyx, attributed to a group known as TeamPCP.
Experts caution that these breaches could pave the way for further software supply chain attacks, compromises in software as a service (SaaS) environments, ransomware incidents, extortion events, and cryptocurrency theft in the near future.
TeamPCP's Exploitation of Stolen Secrets
Wiz, a cloud security firm owned by Google, has reported a surge in attacks linked to TeamPCP. Their Customer Incident Response Team (CIRT) has detected that the credentials and secrets acquired through these supply chain compromises have been rapidly utilized to probe victim cloud environments, leading to further data exfiltration.
“The speed of usage suggests that the same threat actors behind the supply chain operations are responsible, although we cannot dismiss the possibility of the secrets being shared with other groups,” said Wiz representatives.
In a concerning development, OwnCloud announced last week that it had fallen victim to the Trivy compromise, which has temporarily halted their ability to release new software builds and patches. Similarly, Mercor, a startup working at the intersection of AI and human expertise, confirmed its involvement in the LiteLLM supply chain attack, noting that they are one of many affected organizations.
Despite claims from the Lapsus$ cyber extortion group about accessing Mercor's databases and source code, the company has not yet disclosed the full extent of the breach.
Evidence linking TeamPCP and Lapsus$ has been documented, including indications from Lapsus$’s Telegram channel that they were aware of TeamPCP’s planned supply chain attacks prior to their execution. Furthermore, TeamPCP appears to have allied with the Vect ransomware-as-a-service operation and is reportedly launching its own RaaS program, CipherForce.
Global Impact of the Axios Compromise
The Axios npm library, widely utilized within the JavaScript community, is expected to have a broad and significant impact due to its recent compromise. Researchers from Tenable have pointed out that with over 100 million weekly downloads across the affected branches, the ramifications of a mere three-hour compromise window are substantial.
Palo Alto Networks highlights that this supply chain breach has affected organizations across various global regions, including the US, Europe, the Middle East, South Asia, and Australia. Industries impacted range from financial services to high-tech, retail, insurance, and higher education.
The breach facilitated the installation of a remote access trojan across Windows, macOS, and Linux systems, enabling attackers to conduct system reconnaissance and execute additional malicious payloads and commands.
The North Korean group, designated as UNC1069, has a history of employing social engineering tactics, particularly targeting individuals within cryptocurrency, decentralized finance (DeFi), software, and venture capital firms to install malware. This method aligns with the account provided by the Axios maintainer regarding the compromise of their system.
Historically, UNC1069 has predominantly focused on financially motivated attacks. While their impact on cryptocurrency thefts has been less pronounced than other groups, they remain an ongoing threat to centralized exchanges and both individuals and institutions seeking financial gain.
Stay informed on the latest breaches, vulnerabilities, and cybersecurity threats by subscribing to our breaking news email alerts.
Source: Help Net Security News