Sysdig, a cybersecurity intelligence firm, has discovered a sophisticated hacking operation dubbed SCARLETEEL, which targets public-facing web apps running in containers to infiltrate cloud services and steal sensitive data.
While the attackers deployed cryptominers in the compromised cloud environments, Sysdig believes that cryptojacking was used as a decoy for the threat actors’ real purpose, which was the theft of proprietary software. SCARLETEEL attacks begin with exploiting a vulnerable public-facing service in a self-managed Kubernetes cluster hosted on Amazon Web Services (AWS).
Once the attackers access the container, they download an XMRig coinminer, believed to serve as a decoy, and a script to extract account credentials from the Kubernetes pod. The stolen credentials were then used to perform AWS API calls to gain persistence by stealing further credentials or creating backdoor users and groups in the company’s cloud environment.
These accounts were then used to spread further through the cloud environment. Depending on the AWS cluster role configuration, the attackers may also gain access to Lambda information, such as functions, configurations, and access keys.
Next, the attacker uses the Lambda functions to enumerate and retrieve all proprietary code and software along with its execution keys and the Lambda function environment variables to find IAM user credentials and leverage them for subsequent enumeration rounds and privilege escalation.
S3 bucket enumeration also occurs at that stage, and files stored in cloud buckets are likely to contain valuable data for attackers, such as account credentials. The attackers were able to retrieve and read over 1 TB of information, including customer scripts, troubleshooting tools, and logging files, during this attack, according to Sysdig’s report.
The SCARLETEEL operation demonstrates a high level of expertise in AWS cloud mechanics and highlights the vulnerability of public-facing web apps running in containers.
The incident shows the importance of adopting robust cloud security measures, including container security monitoring and Kubernetes security monitoring, to detect and prevent such attacks from causing significant damage to businesses.
