A sophisticated attack campaign called scarlet It targets containerized environments to carry out its own data and software theft.
In a new report, Sysdig states, “Attackers exploited containerized workloads, leveraging them to perform privilege escalation to AWS accounts and steal their own software and credentials.
Advanced cloud attacks also required the deployment of cryptocurrency miner software. This is either an attempt to generate illicit profit or a ploy to distract defenders and get them off track, according to the cybersecurity firm.
The original infection vector was by exploiting a vulnerable service exposed on a self-managed Kubernetes cluster hosted on Amazon Web Services (AWS).
After gaining a successful foothold, the XMRig crypto miner was launched and credentials were obtained using a bash script. These credentials can be used to further infiltrate your AWS cloud infrastructure and exfiltrate sensitive data.
“Either cryptocurrency mining was the attacker’s original goal and that goal changed after gaining access to the victim’s environment, or cryptocurrency mining was used as a decoy to evade data exfiltration detection. ” said the company.
The intrusion specifically disabled CloudTrail logs to minimize its digital footprint and prevent Sysdig from accessing additional evidence. Overall, the attackers had access to over 1 TB of data, including customer scripts, troubleshooting tools, and log files.
“They also used Terraform state files to pivot to other connected AWS accounts to try to reach across the organization,” the company said. However, this turned out to be unsuccessful due to lack of permissions.
The findings reveal Sysdig details another cryptojacking campaign targeting exploitable Apache web servers and Oracle Weblogic applications staged by the 8220 gang between November 2022 and January 2023. A few weeks after.
