Go to listing page

SCARLETEEL Campaign Steal Proprietary Data from Cloud

SCARLETEEL Campaign Steal Proprietary Data from Cloud
A new advanced hacking operation, dubbed SCARLETEEL, has been found targeting  Kubernetes hosted on AWS to steal sensitive proprietary data. However, cybercriminals camouflage their campaigns as cryptojacking operations.

Stealing data through advanced cloud skills

According to Sysdig, the attack begins with the hackers exploiting a vulnerable public-facing service in a self-managed Kubernetes cluster hosted on AWS.
  • Once the attackers gain privilege escalation to the container, they download an XMRig coinminer and a script to extract account credentials from the Kubernetes pod.
  • The coinminer merely serves as a decoy, wherein attackers perform advanced maneuvers in AWS cloud mechanics, which they used to burrow further into the company's cloud infrastructure.
  • Attackers use the stolen credentials to perform AWS API calls to gain persistence by stealing further credentials or creating backdoors in the company's cloud environment. 
  • These backdoor accounts are used to spread further through the cloud environment.

Operational details

  • Attackers, depending on AWS role configurations, may gain access to Lambda information that can be used to enumerate and retrieve all proprietary code and software credentials. They leverage the stolen data for subsequent enumeration rounds and privilege escalation.
  • During one particular attack on Amazon S3, the threat actors retrieved and read more than 1 TB of information, including customer scripts, troubleshooting tools, and logging files related to Terraform.
  • Attackers leverage these Terraform files in the later step to pivot to another AWS account. (Moreover, they attempt to disable CloudTrail logs in the compromised AWS account to minimize the traces left behind.
  • Experts discovered attackers using the retrieved Terraform state files from the S3 buckets containing IAM user access keys and a secret key for a second AWS account.
  • They used this account for lateral movement within the organization's cloud network to steal more data.

Wrapping up

The attackers in the SCARLETEEL attack increased their attack surface with continuous attempts to gain additional resources from the compromised account and perform enumeration on different AWS resources in the connected cloud account. Organizations and individuals are suggested to adopt extra measures, such as conducting frequent audits and securing vulnerable applications to reduce the potential attack surface and prevent lateral movement in the cloud.
Cyware Publisher

Publisher

Cyware