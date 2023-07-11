Scarleteel, an advanced hacking operation discovered by cybersecurity intelligence firm Sysdig in February, has entered phase two with evolved infection and exfiltration tactics.\n\nIn its most recent activities, as noted by Sysdig research, the operation was found targeting cloud environments with tools and techniques adapted to bypass new security measures, along with a more resilient and stealthy command and control architecture.\n\n\u201cThe combination of automation and manual review of the collected data makes this attacker a more dangerous threat,\u201d Sysdig report said. \u201cIt isn\u2019t just nuisance malware, like a crypto miner is often thought of, as they are looking at as much of the target environment as they can.\u201d\n\nRecent Scarleteel activities have targeted environments like AWS Fargate and Kubernetes, indicating a clear evolution from just crypto mining to further exploits such as stealing intellectual properties.\n\nMinor policy mistake opens up Fargate, Kubernetes\n\nIn its recent attack, Scarleteel was seen exploiting a minor mistake in AWS policy to escalate privileges to administrator access and gain control over the Fargate account. It was seen further targeting Kubernetes through this hack.\n\n\u201cThe customer made an error that allowed the attackers to bypass one of their policies because of a single character typo,\u201d said Alessandro Brucato, threat research engineer at Sysdig. \u201cSpecifically, this policy prevented attackers from taking over every user containing \u201cadmin\u201d in their username. But the field used in the policy is case-sensitive.\u201d\n\nBrucato added that one of the admin usernames in the customer account started with \u201cadmin, " allowing the attackers to take control of it.\n\nThis allowed the attacker to exploit some Jupyter Notebook containers deployed in a Kubernetes cluster, which further enabled them to proceed with multiple types of attacks, primarily for stealing AWS credentials to further exploit the victim\u2019s AWS environment.\n\n\u201cThe goal of Scarleteel is to gain persistence in a vulnerable Kubernetes workload in order to elevate cloud privileges and ultimately cause financial damage through crypto-jacking as well as intellectual property theft,\u201d said Jimmy Mesta, chief technology officer at Kubernetes Security Operations Center. \u201cOne vulnerable web application or in the case of Scarleteel, a Jupyter Notebook, can lead to complete AWS account compromise.\u201d\n\nImproved tact includes self-aware scripts and evasive exfiltration\n\nThe scripts used in the info-stealing attacks seemed aware of being in a Fargate-hosted container and executed relevant commands to collect credentials.\n\n\u201cTheir scripts query different services to gather information about the environment,\u201d Brucato said. \u201cThen, they advance their attack employing tools that target specific services (for instance, peirates in Kubernetes pods or pacu after stealing AWS credentials).\u201d\n\nPacu and Peirates are popular open source attack tools typically used by penetration testers and red teams to assess the security of the modern cloud and Kubernetes infrastructure.\n\n\u201cPacu was used in the Scarleteel attack as a post-exploitation enumeration tool to rapidly assess for over 20 existing privilege escalation paths in the victim AWS account,\u201d Mesta said. \u201cPeirates, on the other hand, gives attackers an all-in-one command line interface to carry out Kubernetes exploits such as perform lateral movement, steal cloud IAM credentials, or gaining persistence through a reverse shell.\u201d\n\nScarleteel also used a novel exfiltration technique to evade detection. Instead of using commonly preferred command-line tools such as \u201ccurl\u201d or \u201cwget,\u201d it chose a stealthier way of using shell built-ins.\n\n\u201cExfiltration is often where attackers are detected by SIEM or other monitoring systems as most attacks use commonly known tools such as wget or curl, both of which stand out as an anomaly,\u201d Mesta said. \u201cScarleteel uses shell built-ins to perform network external calls to attacker-controlled IP addresses, making the attack appear to be 'normal' to most unsophisticated security monitoring tools that use pre-built signatures.\u201d The attacker also used the hacked AWS CLI to download and execute Pandora, a malware belonging to the Mirai Botnet that primarily targets IoT devices connected to the internet to stage large-scale DDoS attacks.