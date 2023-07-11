Americas

HomeIndustryCryptominer Scarleteel evolves tactics to steal container credentials
Shweta Sharma
Cryptominer Scarleteel evolves tactics to steal container credentials

News
Jul 11, 20234 mins
CryptocurrencyMalware

Scarleteel 2.0 deploys evolved tools and techniques to obfuscate the exfiltration of stolen container credentials.

Cryptojacking > Binary skull, code and bitcoin symbols invade systems as malware
Credit: Romanovskyy / Getty Images

Scarleteel, an advanced hacking operation discovered by cybersecurity intelligence firm Sysdig in February, has entered phase two with evolved infection and exfiltration tactics.

In its most recent activities, as noted by Sysdig research, the operation was found targeting cloud environments with tools and techniques adapted to bypass new security measures, along with a more resilient and stealthy command and control architecture.

"The combination of automation and manual review of the collected data makes this attacker a more dangerous threat," Sysdig report said. "It isn't just nuisance malware, like a crypto miner is often thought of, as they are looking at as much of the target environment as they can."

Recent Scarleteel activities have targeted environments like AWS Fargate and Kubernetes, indicating a clear evolution from just crypto mining to further exploits such as stealing intellectual properties.

Minor policy mistake opens up Fargate, Kubernetes

In its recent attack, Scarleteel was seen exploiting a minor mistake in AWS policy to escalate privileges to administrator access and gain control over the Fargate account. It was seen further targeting Kubernetes through this hack.

"The customer made an error that allowed the attackers to bypass one of their policies because of a single character typo," said Alessandro Brucato, threat research engineer at Sysdig. "Specifically, this policy prevented attackers from taking over every user containing "admin" in their username. But the field used in the policy is case-sensitive."

Brucato added that one of the admin usernames in the customer account started with "admin, ” allowing the attackers to take control of it.

This allowed the attacker to exploit some Jupyter Notebook containers deployed in a Kubernetes cluster, which further enabled them to proceed with multiple types of attacks, primarily for stealing AWS credentials to further exploit the victim's AWS environment.

"The goal of Scarleteel is to gain persistence in a vulnerable Kubernetes workload in order to elevate cloud privileges and ultimately cause financial damage through crypto-jacking as well as intellectual property theft," said Jimmy Mesta, chief technology officer at Kubernetes Security Operations Center. "One vulnerable web application or in the case of Scarleteel, a Jupyter Notebook, can lead to complete AWS account compromise."

Improved tact includes self-aware scripts and evasive exfiltration

The scripts used in the info-stealing attacks seemed aware of being in a Fargate-hosted container and executed relevant commands to collect credentials.

"Their scripts query different services to gather information about the environment," Brucato said. "Then, they advance their attack employing tools that target specific services (for instance, peirates in Kubernetes pods or pacu after stealing AWS credentials)."

Pacu and Peirates are popular open source attack tools typically used by penetration testers and red teams to assess the security of the modern cloud and Kubernetes infrastructure.

"Pacu was used in the Scarleteel attack as a post-exploitation enumeration tool to rapidly assess for over 20 existing privilege escalation paths in the victim AWS account," Mesta said. "Peirates, on the other hand, gives attackers an all-in-one command line interface to carry out Kubernetes exploits such as perform lateral movement, steal cloud IAM credentials, or gaining persistence through a reverse shell."

Scarleteel also used a novel exfiltration technique to evade detection. Instead of using commonly preferred command-line tools such as "curl" or "wget," it chose a stealthier way of using shell built-ins.

"Exfiltration is often where attackers are detected by SIEM or other monitoring systems as most attacks use commonly known tools such as wget or curl, both of which stand out as an anomaly," Mesta said. "Scarleteel uses shell built-ins to perform network external calls to attacker-controlled IP addresses, making the attack appear to be ‘normal’ to most unsophisticated security monitoring tools that use pre-built signatures." The attacker also used the hacked AWS CLI to download and execute Pandora, a malware belonging to the Mirai Botnet that primarily targets IoT devices connected to the internet to stage large-scale DDoS attacks.

Shweta Sharma is a senior journalist covering enterprise information security and digital ledger technologies for IDG’s CSO Online, Computerworld, and other enterprise sites.

Image