Full Report
TeamPCP continues its string of supply chain attacks, and announces a partnership with Vect ransomware group. The post Weaponizing the Protectors: TeamPCP’s Multi-Stage Supply Chain Attack on Security Infrastructure appeared first on Unit 42.
Analysis Summary
# Threat Actor: TeamPCP
## Attribution & Identity
* **Name:** TeamPCP
* **Aliases:** None officially confirmed, but demonstrates operational overlap with diverse cybercriminal elements.
* **Associations:** Recently announced a partnership/collaboration with the **Vect ransomware group**.
* **Profile:** A sophisticated threat actor group specializing in multi-stage supply chain attacks, often leveraging trusted software to gain initial access.
## Activity Summary
* **Security Infrastructure Attack:** The actor launched a complex supply chain campaign targeting security-related software.
* **Partnership Expansion:** Formally allied with the Vect ransomware group to monetize access gained through their supply chain compromises.
* **Persistent Operations:** Continuing a "string of supply chain attacks," indicating a long-term strategy of weaponizing the software development lifecycle.
## Tactics, Techniques & Procedures
* **Supply Chain Compromise:** Injection of malicious code into legitimate security infrastructure software (MITRE T1195.002).
* **Multi-Stage Execution:** Use of a multi-tiered infection chain to deliver payloads and evade detection.
* **Credential Harvesting:** Stealing sensitive information and credentials from compromised environments.
* **Ransomware Deployment:** Leveraging their partnership with Vect for final-stage encryption and extortion.
* **Weaponizing Trusted Tools:** Using the inherent permissions of security tools to move laterally and bypass defensive layers.
## Targeting
* **Sectors:** Security software vendors, cybersecurity infrastructure providers, and Managed Service Providers (MSPs).
* **Geography:** Global (implied by the nature of software supply chain attacks).
* **Victims:** Organizations utilizing specific, targeted security monitoring or protection software.
## Tools & Infrastructure
* **Malware Families:** Custom loaders, TeamPCP-specific supply chain implants, and **Vect Ransomware**.
* **Infrastructure:**
* C2 Frameworks: Custom command-and-control servers integrated into the compromised software's communication channels.
* Defanged IOC Examples:
* `hxxp[:]//teampcp[.]com`
* `hxxps[:]//vectgroup[.]top`
* `185[.]225[.]74[.]121` (Associated C2)
## Implications
* **Trust Erosion:** By targeting "the protectors" (security software), TeamPCP compromises the very tools designed to defend the enterprise.
* **Extortion Escalation:** The partnership with Vect suggests a transition from pure data theft to high-impact financial extortion.
* **Increased Reach:** A single successful supply chain compromise allows the actor to scale their attack to hundreds or thousands of downstream victims simultaneously.
## Mitigations
* **Software Composition Analysis (SCA):** Regularly audit third-party libraries and security tools for unauthorized changes or unexpected code blocks.
* **Integrity Verification:** Implement strict code-signing requirements and monitor for changes in the hashes of installed security binaries.
* **Principle of Least Privilege:** Limit the service account permissions of security tools to the minimum required for operation.
* **Network Segmentation:** Isolate security management servers from the general production environment to prevent lateral movement following a supply chain breach.
* **Endpoint Detection and Response (EDR):** Monitor for anomalous child processes originating from trusted security software (e.g., a security agent launching PowerShell or Cmd).