The Scarleteel menace targets AWS Fargate environments for information theft and extra malicious kinds of assaults equivalent to cryptojacking and DDoS. Learn tips on how to mitigate this menace.
Sysdig, a cloud and container safety firm, has launched a new report on the Scarleteel menace that targets particular AWS environments for information theft and extra malicious actions. Learn how the Scarleteel menace operates and tips on how to safe your enterprise from this menace.
Jump to:
What is the Scarleteel menace?
Scarleteel is a complicated assault on AWS cloud environments that was found in February 2023 by Sysdig. That operation began by compromising Kubernetes containers to unfold to the sufferer’s AWS account with one purpose in thoughts: stealing proprietary software program. The assault additionally dropped a cryptominer on the compromised setting, but Sysdig’s Threat Research Team estimated the cryptojacking operation was in all probability used as a decoy to evade the detection of the information theft operation.
The assault confirmed that the menace actor had stable data of AWS cloud mechanics together with Elastic Compute Cloud roles, lambda serverless features and Terraform, an open-source infrastructure as code device that is ready to automate operations on infrastructures on any sort of cloud resolution.
Scarleteel’s new operation
Scarleteel’s Tactics, Techniques and Procedures has improved, in keeping with the Sysdig Threat Research Team. As within the earlier operation, the ultimate purpose of the menace actor right here appears to be information theft, though the actor nonetheless crops cryptominers throughout its assault (Figure A).
Figure A
How Scarleteel targets AWS Fargate credentials
This time, the assault begins with the menace actor exploiting JupyterLab pocket book containers deployed in a Kubernetes cluster. Then, the attacker focuses on credential stealing, utilizing a number of scripts to attempt to get AWS Fargate credentials within the occasion metadata service (IMDSv1 and IMDSv2) within the filesystem and within the Docker containers created within the focused machine. The stolen credentials are despatched to an IP tackle that was beforehand utilized by Scarleteel.
The attacker managed to steal AWS credentials in containers that had been utilizing IMDSv1. IMDSv2 password theft extremely relies on the particular setting. Depending on the configuration, it may not be doable for an attacker to steal credentials on IMDSv2.
To evade detections based mostly on using the curl and wget command-line instruments, which are sometimes monitored by safety options, the menace actor determined to make use of a customized script to exfiltrate the obtained credentials (Figure B). The information is base64-encoded, so it wouldn’t be despatched as clear textual content.
Figure B
Once the attacker is in possession of the credentials, they set up the AWS Command-Line Interface with Pacu, an open-source AWS exploitation framework designed for offensive safety testing.
The attacker then used the AWS CLI to connect with Amazon S3-compatible Russian programs utilizing the –endpoint-url choice, which permits the attackers to obtain their instruments and exfiltrate information with out being logged by the sufferer’s CloudPath.
After the menace actor carried out automated reconnaissance within the goal’s AWS setting, they obtained admin entry and created a consumer named “aws_support,” switching to it to proceed the operation.
How Scarleteel targets Kubernetes
The menace actor actively targets Kubernetes within the sufferer’s setting. The attacker has used Peirates, a Kubernetes penetration device that permits an attacker to escalate privileges and pivot by means of a Kubernetes cluster. It additionally automates identified strategies to steal and gather tokens and secrets and techniques.
The menace actor additionally executed Pandora, a Mirai-like malware that runs DDoS assaults utilizing Linux programs and IoT programs to particular targets. As said by the researchers, “This attack is likely part of a DDoS-as-a-Service campaign, where the attacker provides DDoS capabilities for money.”
Cryptojacking presumably used as a decoy
During the assault, the menace actor created 42 situations of the XMRig cryptominer, which is a reliable device typically used by attackers in cryptojacking operations. This big variety of situations all working the miner was caught shortly, however the menace actor then created different accounts to realize the identical objective by stealing secrets and techniques from the Secret Manager or updating SSH keys to run new situations. It failed on account of inadequate privileges.
It’s intriguing to see a menace actor working a stealth operation all of the sudden begin such a loud exercise. This as soon as once more leads us to imagine that the cryptomining a part of the operation would possibly simply be a decoy to cover all the information theft exercise.
How to guard from this cybersecurity menace
- Container photos ought to all the time come from trusted sources and continually up to date with the most recent safety patches.
- Unnecessary companies ought to all the time be disabled so the assault floor isn’t elevated. Privileges must also be minimized, and useful resource limitations must be enforced.
- Using AWS IMDSv2 as an alternative of IMDSv1 is a beneficial safety finest apply for containers as a result of it makes credential stealing more durable for attackers, relying on the configuration.
- AWS Identity and Access Management function permissions must be fastidiously checked.
- Security scanning instruments must be used to establish vulnerabilities and malware in container photos.
- Precise inbound and outbound insurance policies must be deployed to restrict entry to solely mandatory duties. AWS CloudPath logs must be analyzed for any suspicious exercise.
- Multifactor authentication must be deployed for connecting to AWS accounts.
Disclosure: I work for Trend Micro, however the views expressed on this article are mine.