A newly discovered hacking campaign called SCARLETEEL operation eyes public-facing web applications that operate in containers to breach cloud services and steal data. Based on reports, the researchers stumbled upon this new operation while responding to a cybersecurity incident against a compromised cloud environment.
The campaign operators displayed advanced AWS cloud mechanics expertise while deploying cryptominers in the infected cloud environments. These mechanics allowed them to go deeper into their targeted infrastructure.
The researchers claimed that the cryptojacking campaign diverts the threat actors to execute their fundamental objective: stealing proprietary software.
The SCARLETEEL operation debuted its campaigns against Amazon Web Services.
According to investigations, the SCARLETEEL operation started its attacks by exploiting a flawed public-facing service in a self-managed Kubernetes cluster stored on AWS.
The threat operators download an XMRig coinminer once they access the container. Researchers believed the initial move was a decoy since the next script extracts account credentials from the Kubernetes pod.
Subsequently, the actors used the stolen credentials to execute AWS API calls to acquire persistence by stealing additional data or developing backdoor users and groups in the compromised company’s cloud environment.
Moreover, the actors utilised these accounts to propagate more on the cloud environment.
Depending on the Amazon Web Services cluster role configuration, the adversaries could also gain more access to Lambda information like configurations, access keys, and functions.
The threat actors use the Lambda tool to identify and retrieve all proprietary code and software along with its execution keys and environment variables to find IAM user credentials. They could exploit these tactics to acquire privilege escalation.
Separate researchers also explained that the S3 bucket enumeration could happen at the same attack stage. The actors could also collect files in the cloud buckets with valuable information, such as account credentials.
The attackers tried deactivating CloudTrail logs in the compromised AWS account to minimise the traces they left behind. This strategy has pressured the analysis and investigations of the researchers.
The SCARLETEEL operation is relatively new, but it has already shown signs of potential to be a more significant threat soon.
