Overview
- SentinelOne disclosed Thursday that a new framework called PCPJack breaks into already-compromised cloud hosts, removes TeamPCP’s tools to seize control, and reports each successful eviction back to its command system.
- The malware spreads like a worm across exposed services such as Docker, Kubernetes, Redis, MongoDB, and RayML, and it exploits five known bugs including React/Next.js “React2Shell” deserialization, a Next.js auth bypass, and flaws in WPVivid Backup, W3 Total Cache, and CentOS Web Panel.
- It finds fresh targets by pulling hostnames from public Common Crawl datasets and by updating AWS, Google Cloud, Azure, and major CDN IP ranges each day to scan for open services.
- Once in, PCPJack grabs secrets from cloud, developer, database, and financial tools, then encrypts the haul with X25519 and ChaCha20-Poly1305 and sends it in small chunks to attacker-run Telegram channels.
- Researchers recommend enforcing multi-factor authentication, switching AWS instances to IMDSv2, locking down Docker and Kubernetes with authentication, using least-privilege access, and avoiding plain-text storage of secrets.