Researchers have discovered that a financially motivated threat actor called ScarletEel has been infiltrating Amazon Web Services (AWS) for various malicious activities. These activities include stealing credentials and intellectual property, deploying crypto mining software, and carrying out distributed denial-of-service (DDoS) attacks.
The existence of ScarletEel was initially disclosed in a blog post by cloud security firm Sysdig in February. The group demonstrates a strong understanding of AWS tools and effectively maneuvers within cloud environments using native AWS functionality. By gaining the appropriate access, ScarletEel executes a dual strategy of planting crypto mining software while simultaneously pilfering intellectual property.
Recent analysis conducted by Sysdig reveals that ScarletEel continues to refine its tactics and evade cloud security detection mechanisms. The threat actor has expanded its capabilities to target AWS Fargate, a relatively unexplored compute engine. Furthermore, ScarletEel has incorporated DDoS-as-a-service into its range of exploitation techniques.
Alessandro Brucato, a threat research engineer for Sysdig, explains that ScarletEel has become more adept at understanding the victim's environment and has improved its ability to exploit vulnerabilities while evading defensive security measures implemented by customers.
To initiate its latest intrusion, ScarletEel exploited Jupyter notebook containers within a Kubernetes cluster. The attackers utilized scripts to search for AWS credentials that could be sent back to their command-and-control (C2) server. Interestingly, the scripts employed built-in shell commands instead of command line tools to exfiltrate data stealthily, avoiding detection by monitoring tools like curl and wget.
ScarletEel employed Pacu, an open-source penetration testing tool for AWS, to identify opportunities for privilege escalation within the victim's account. Simultaneously, the threat actor utilized Peirates, a similar tool tailored for exploring and exploiting Kubernetes environments.
To conceal their activities, the hackers devised a clever defense mechanism. Instead of interacting directly with AWS, they used a Russian server that supported the AWS protocol. By leveraging native AWS commands, the malicious nature of their actions was disguised. Moreover, these activities went unnoticed in the victim's AWS CloudTrail logs since they took place on the Russian server.
As previously noted by Sysdig, ScarletEel's primary objectives include stealing proprietary software and engaging in cryptojacking. In their most recent campaign, the attackers dropped 42 instances of cryptominers through a compromised account. Although this activity raised suspicions and led to their detection and removal, ScarletEel persisted in its efforts. Even after being caught, the threat actors attempted to utilize new compromised accounts but failed due to insufficient privileges. If left undetected, the researchers estimate that the attack could have yielded around $4,000 worth of cryptomining rewards per day.
In addition to intellectual property theft and cryptojacking, ScarletEel also planted malware from the Mirai botnet family called "Pandora." It is speculated that the attackers intended to utilize Pandora-infected devices for a separate large-scale DDoS-as-a-service campaign.
ScarletEel's familiarity and expertise in cloud environments pose challenges for traditional cloud security measures. For example, the threat actor managed to breach AWS Fargate, which is not commonly considered a target due to its limited accessibility and primarily internal use. Michael Clark, the director of threat research for Sysdig, emphasizes the need for proactive defensive measures to counter entities like ScarletEel.
He adds, "But like we saw in this attack, they ended up on the Fargate system, and they grabbed its credentials. So they're definitely aware of the opportunities there, and it's only a matter of time before they get on it."
To harden against an entity like ScarletEel, Brucato explains, "you first have to implement some measures to prevent attackers from entering your environment. But if they manage to do it anyway — because now they're getting more and more sophisticated — you also have to implement effective runtime security." Clark emphasizes the value of effective cloud security posture management (CSPM) and cloud infrastructure entitlement management (CIEM).
"It's not enough to be protected in one way because the attackers today are really aware," Brucato concludes. "They can exploit any detail."