Cloud environments continue to be the target of an ongoing advanced attack campaign called SCARLETEEL, with threat actors now targeting Amazon Web Services (AWS) Fargate.
In a new report shared with The Hacker, Sysdig security researcher Alessandro Brucato said, “Cloud environments remain their primary target, but the tools and techniques used are more resilient. “It’s adapted to bypass new security measures, along with a stealthy command and control architecture.” news.
SCARLETEEL was first exposed by a cybersecurity firm in February 2023 and has been sophisticated that it led to the theft of proprietary data from AWS infrastructure and the introduction of cryptocurrency miners to illegally profit from the resources of compromised systems. The attack chain was detailed.
A follow-up analysis by Cado Security revealed a potential connection to a prolific cryptojacking group known as TeamTNT, but Sysdig told The Hacker News that “someone has figured out their methodology and attack patterns. It may have been copied,” he said.
The latest activity continues the trend of attackers targeting AWS accounts by exploiting vulnerable public web applications with the ultimate goal of gaining persistence, stealing intellectual property, and using cryptocurrency miners. can generate as much as $4,000 in revenue per day.
“The attacker discovered and exploited a mistake in the AWS policy to elevate privileges to AdministratorAccess and gain control of an account, after which they could do whatever they wanted,” Brucato explained. bottom.
It all started with the attackers abusing a JupyterLab notebook container deployed in a Kubernetes cluster, using their initial foothold to conduct reconnaissance of the target network, collect AWS credentials, and enter the victim’s environment. Get deeper access to the .
It then installs the AWS command line tools and an exploitation framework called Pacu for subsequent exploitation. This attack is also notable for its use of various shell scripts to obtain AWS credentials, some of which target AWS Fargate compute engine instances.
“We observed an attacker using an AWS client to connect to a Russian system compatible with the S3 protocol,” Brucato said, adding that the SCARLETEEL attacker believed the data exfiltration event occurred on CloudTrail. He added that he was using stealth techniques to avoid being logged.
🔐 PAM Security – Expert Solutions to Secure Sensitive Accounts
Gain the knowledge and strategies you need to transform your privileged access security strategy in this expert-led webinar.
reserve a spot
Other steps taken by the attackers included the use of a Kubernetes penetration testing tool known as Peirates to exploit container orchestration systems and a DDoS botnet malware called Pandora, which the attackers used to Shows further attempts to monetize the host.
“SCARLETEEL actors continue to operate against targets on clouds such as AWS and Kubernetes,” said Brucato. “Their preferred method of intrusion is the exploitation of open computing services and vulnerable applications. While the focus continues to be on financial gain from cryptocurrency mining, […] Intellectual property remains a priority. “
