⚠️ THREAT ALERT: PCPJack Credential Stealer Exploits 5 CVEs to Spread Worm-Like Across Cloud Systems
The recent PCPJack campaign leverages a chain of five distinct CVEs to achieve initial foothold, lateral expansion, and persistence within multi‑tenant cloud environments. The first stage exploits CVE‑2022‑22965 (Spring4Shell) against vulnerable Java‑based micro‑services, allowing unauthenticated remote code execution through crafted HTTP headers. The payload then invokes CVE‑2023‑21628, a privilege‑escalation flaw in the Linux kernel’s eBPF verifier that grants root on the host underlying the container runtime. With root, the attacker mounts the host’s Docker socket and abuses CVE‑2022‑41717, which permits arbitrary container image pulls without authentication, to inject a malicious image containing the PCPJack credential‑stealer binary. Finally, CVE‑2023‑0286 (AWS IAM role assumption bypass) and CVE‑2023‑36121 (Azure Managed Identity token leakage) are used to harvest cloud credentials, enabling the worm‑like module to propagate across accounts and regions by programmatically creating new IAM roles and service principals.
The worm’s core is a highly modular Go binary that persistently registers as a systemd service and masquerades as a legitimate monitoring agent. It uses the stolen tokens to enumerate all compute resources via the respective cloud provider APIs, then recursively deploys the malicious container image on any compute instance discovered to be running an outdated container runtime (e.g., Docker 18.x, containerd 1.4). The spread mechanism includes a self‑updating side‑channel that checks for newly disclosed CVEs affecting cloud‑native components, automatically adding them to its exploitation chain. This adaptive behavior, combined with the credential harvesting, allows the malware to achieve near‑real‑time privilege escalation across heterogeneous workloads, effectively creating a worm that can traverse tenant boundaries in shared cloud infrastructures.
Mitigation requires a defense‑in‑depth approach: patch all affected components immediately—upgrade Spring Framework to version 5.3.20+ or apply the official hot‑fix, update Linux kernels to 6.1.0+ with the eBPF hardening patches, and upgrade container runtimes to the latest stable releases that incorporate CVE‑2022‑41717 mitigations. Enforce strict IAM policies by disabling wildcard role assumption, enabling MFA for all privileged accounts, and applying least‑privilege principles to Managed Identity assignments. Additionally, isolate the Docker socket from host processes via rootless Docker or dedicated runtime namespaces, continuously monitor for anomalous container image pulls, and employ runtime integrity verification (e.g., Cosign, Notary) to block unsigned images. Deploy host‑based intrusion detection that flags unsanctioned systemd service registrations and implement network segmentation that restricts intra‑tenant traffic to only required ports, thereby limiting the worm’s ability to propagate laterally.
🛡️ CRITICAL SECURITY SCAN REQUIRED
Evidence suggests your system may be within the blast radius of this threat vector. Use the ZeroDay Radar scanner to verify your integrity immediately.
>> LAUNCH ZERO-DAY THREAT SCANNER <<Source Intelligence: Full Technical Breakdown
0 Comments