An continuing sophisticated attack effort known as SCARLETEEL continues to target cloud settings, with threat actors currently focusing on Amazon Web Services (AWS) Fargate.
According to a new report from Sysdig security researcher Alessandro Brucato, "Cloud environments are still their primary target, but the tools and techniques used have adapted to bypass new security measures, along with a more resilient and stealthy command and control architecture."
The cybersecurity firm originally revealed SCARLETEEL in February 2023, describing a complex attack chain that resulted in the theft of confidential information from AWS infrastructure and the installation of bitcoin miners to illicitly profit from the resources of the compromised systems.
However, Sysdig told The Hacker News that it "could be someone copying their methodology and attack patterns." Cado Security's follow-up investigation revealed possible connections to the well-known cryptojacking outfit TeamTNT.
The threat actor's recent action is a continuation of his propensity to target AWS accounts by taking advantage of weak public-facing web apps in order to achieve persistence, steal intellectual property, and maybe earn $4,000 per day utilizing bitcoin miners.
According to Brucato, "The actor discovered and exploited a flaw in an AWS policy which allowed them to escalate privileges to AdministratorAccess and gain control over the account, enabling them to then use it however they wanted."
The rival starts by taking advantage of JupyterLab notebook containers that are set up in a Kubernetes cluster. Using this initial foothold, the adversary conducts reconnaissance on the target network and gathers AWS credentials to gain further access to the victim's environment.
The installation of the AWS command-line tool and the Pacu exploitation framework for later exploitation come next. The assault is notable for using a variety of shell scripts, some of which target AWS Fargate compute engine instances, to retrieve AWS credentials.
"The attacker was observed using the AWS client to connect to Russian systems which are compatible with the S3 protocol," Brucato said, adding the SCARLETEEL actors used stealthy techniques to ensure that data exfiltration events are not captured in CloudTrail logs.
Other actions done by the attacker include the employment of a DDoS botnet virus known as Pandora and the Kubernetes Penetration Testing tool Peirates, all of which point to continued efforts on the side of the actor to monetize the host.
"The SCARLETEEL actors continue to operate against targets in the cloud, including AWS and Kubernetes," Brucato said.
"Their preferred method of entry is exploitation of open compute services and vulnerable applications. There is a continued focus on monetary gain via crypto mining, but [...] intellectual property is still a priority."
