Sysdig researchers discovered a sophisticated hacking operation dubbed Scarleteel 2.0 using new tactics to target new cloud environments.
In its last attack campaign, the malware was used against Kubernetes containers hosted on AWS to steal sensitive proprietary data. The stolen credentials were later used to perform AWS API calls to gain further access to a company’s cloud infrastructure. However, in their most recent activities, the attackers have expanded their operations to target more cloud infrastructure.
Recent observations
The new attacks involve the threat actors exploiting a minor mistake in AWS policy to escalate privileges to administrator and gain control over the Fargate account.
Attackers take advantage of a single-character typo in the policy, which enabled the attackers to bypass the security controls.
Some Jupyter Notebook containers deployed in a Kubernetes cluster have also been abused, allowing attackers to proceed with different types of attacks to steal AWS credentials.
New tactics and scripts identified
Scarleteel 2.0 uses an info-stealing script designed to steal data from a Fargate-hosted container.
Some versions of the script attempted to exploit IMDSv2 to retrieve tokens that would be utilized to steal AWS credentials.
There are multiple changes in the C2 domain, including the public services used, to send and retrieve data.
Advanced tools such as peirates, pacu, and AWS CLI are used to exploit AWS and Kubernetes containers for further attacks.
The AWS CLI tool caused the download and execution of Pandora, a variant of the Mirai botnet, to launch DDoS attacks on cloud environments.
More details
Security experts were successful in identifying the activity and mitigating the attack by limiting access to the admin account. However, the attackers attempted to re-launch the attack using other new compromised accounts to achieve the same goal of stealing secrets from environment instances. Still they failed to make any progress due to the lack of privileged access.
Conclusion
As Scarleteel actors continue to enhance their toolkits to target cloud environments, including AWS and Kubernetes, organizations are advised to deploy multiple layers of defense to stay safe. Moreover, the attackers’ preferred method of entry is by exploiting cloud services and vulnerabilities. Hence, it is recommended to protect their cloud environment while timely applying security patches to vulnerable devices.