European Fee hack exposes information of 30 EU entities

The European Union’s Cybersecurity Service (CERT-EU) has attributed the European Fee cloud hack to the TeamPCP menace group, saying the ensuing breach uncovered the info of no less than 29 different Union entities.

The European Fee publicly disclosed the incident on March 27 after BleepingComputer reached out for affirmation that the Amazon cloud atmosphere of the European Union’s important govt physique had been breached.

Two days earlier, the Fee notified CERT-EU of the hack, saying that its Cybersecurity Operations Middle was not alerted to API misuse, potential account compromise, or any irregular community site visitors till March 24, 5 days after the preliminary intrusion.

On March 10, TeamPCP used a compromised Amazon Net Companies API key with administration rights over different European Fee AWS accounts (stolen within the Trivy supply-chain assault) to breach the Fee’s Amazon cloud atmosphere.

Within the subsequent stage of the assault, they used TruffleHog (a software for scanning and validating cloud credentials) to seek for further secrets and techniques, then connected a newly created entry key to an current consumer to evade detection earlier than conducting additional reconnaissance and stealing information.

TeamPCP has been linked to supply-chain assaults focusing on a number of different developer code platforms, reminiscent of GitHub, PyPi, NPM, and Docker.

The cybercrime gang has additionally compromised the LiteLLM PyPI bundle in an assault that impacted tens of 1000’s of units utilizing its “TeamPCP Cloud Stealer” information-stealing malware.

Data leaked on the darkish net by ShinyHunters

On March 28, information extortion group ShinyHunters revealed the stolen dataset on their darkish net leak web site as a 90GB archive of paperwork (roughly 340GB uncompressed), containing names, e-mail addresses, and e-mail content material.

CERT-EU’s evaluation confirmed that the menace actors have stolen tens of 1000’s of information containing private data, usernames, e-mail addresses, and e-mail content material, and that the ensuing information breach probably impacts 42 inner European Fee purchasers and no less than 29 different Union entities utilizing the europa.eu webhosting service.

“The menace actor used the compromised AWS secret to exfiltrate information from the affected cloud atmosphere. The exfiltrated information pertains to web sites hosted for as much as 71 purchasers of the Europa webhosting service: 42 inner purchasers of the European Fee, and no less than 29 different Union entities,” CERT-EU stated on Thursday.

“Evaluation of the revealed dataset has up to now confirmed the presence of non-public information, together with lists of names, final names, usernames, and e-mail addresses, predominantly from the European Fee’s web sites however probably pertaining to customers throughout a number of Union entities,” it added.

“The dataset additionally accommodates no less than 51,992 information associated to outbound e-mail communications, totalling 2.22 GB. Nearly all of these are automated notifications with little to no content material. Nevertheless, ‘bounce-back’ notifications, that are responses to incoming messages from customers, might include the unique user-submitted content material, posing a threat of non-public information publicity.”

CERT-EU added that no web sites had been taken offline because of this incident or tampered with, and no lateral motion to different Fee AWS accounts has been detected.

Whereas the evaluation of exfiltrated databases and information is ongoing and can probably require “a substantial period of time,” the Fee has notified related information safety authorities and is in direct communication with affected entities.

In February, the European Fee disclosed one other data breach after discovering {that a} cellular system administration platform used to handle workers’s units had been hacked.