PCPJack Hijacks 230 AWS, Google Cloud, and Azure Servers for Covert SMTP Relay Network
Summary
A threat actor named PCPJack has compromised approximately 230 AWS, Google Cloud, and Azure servers to establish a covert SMTP email relay network. These compromised business servers were used to relay emails, with the network syncing to a downstream consumer every five minutes.
IFF Assessment
This incident highlights a sophisticated method of exploiting cloud infrastructure for malicious purposes, posing a significant threat to organizations relying on these platforms.
Defender Context
This incident underscores the need for robust cloud security posture management and continuous monitoring to detect unauthorized server usage and potential email relay activities. Defenders should pay close attention to unusual network traffic patterns and outbound email volumes from their cloud environments.