Blog

Today almost every brand uses some form of a customer-facing web application to speak on behalf of the business. Recently, an advanced hacking operation named SCARLETEEL has been targeting these applications to steal proprietary data and software. Sophos News reports that cyberattacks are rising, and campaigns like SCARLETEEL target containerized cloud environments.

The malicious SCARLETEEL campaign

According to Sysdig Threat Research Team, cybersecurity researchers recently identified an advanced and sophisticated hacking operation named SCARLETEEL. Attackers exploit containerized workloads and gain privilege escalation into AWS accounts to steal proprietary software and credentials. They also leverage Terraform state files to turn to other connected AWS accounts to reach all services and user accounts in an organization. 

According to the Sysdig report, "This attack was more sophisticated than most, as it started from a compromised Kubernetes container and spread to the victim's AWS account." According to the report, the attackers involved in the SCARLETEEL campaign have deep knowledge of AWS cloud mechanics, including verticals like Elastic Compute Cloud (EC2), AWS Lambda, serverless functions, and Terraform.

How does the SCARLETEEL campaign work?

Sysdig responded to an incident when cybercriminals compromised a customer's cloud environment. The attack compromises the Kubernetes container to spread to the victim's AWS account. The initial SCARLETEEL campaign's infection vector resides in exploiting a public-facing service. The attackers target the vulnerable service in a self-managed Kubernetes cluster hosted on Amazon Web Services (AWS) cloud service.

Once they gain access to the system successfully, they launch XMRig crypto miner with a bash script to acquire credentials that they can utilize to further dig into the AWS infrastructure and extract sensitive information. "Either crypto mining was the attacker's initial goal, and the goal changed once they accessed the victim's environment, or crypto mining was used as a decoy to evade the detection of data exfiltration. They also attempted to pivot using a Terraform state file to other connected AWS accounts to spread their reach throughout the organization," says Sysdig. 

Although, the attempt by the SCARLETEEL campaign to pivot using a Terraform state proved unsuccessful because of the lack of permission and access. During the intrusion phase, the attacker disables the Cloud Trail logs to eliminate the digital footprint. Hence, it prevents the Sysdig threat intelligence team from getting complete evidence of the attack. However, the threat actors managed to access more than one terabyte of data, which comprises troubleshooting tools, customer scripts, and log files.

Preventive measures against container & cloud-based attacks

• To protect data, isolating containers is a wise practice depending on the sensitivity and threat levels. According to NIST, this security measure will minimize the damage caused by malicious activity by decreasing its reach.

• Enterprises should consider using container-based vulnerability management tools and complete regular cloud penetration testing to secure containers and cloud services.

• Enterprises should use IMDS v2 instead of v1, which prevents unauthorized metadata access.

• Misconfiguration is another common issue that security professionals must identify and fix to prevent different forms of attack campaigns like SCARLETEEL. According to the recent Gartner report, by 2025, more than 99% of cloud breaches will happen because of user misconfiguration or mistakes.

• Implementing appropriate encryption techniques is another way to protect enterprise data and app-related customer details in the cloud. Through robust encryption, even if the data gets compromised, cybercriminals will not be able to read the scrambled data or extract meaningful insights from it.

• Security researchers found that cybercriminals compromise containers by implanting malware or crypto mining programs by pre-installing them in the image. So, it is a good practice to use anti-malware programs. Enterprises can also hire cloud service providers (CSPs) offering built-in anti-malware detection tools.

• Enterprises should hire security experts along with cloud-based app developers. These security professionals would layer customer-facing apps with additional security measures.

• Malware-based attacks can also damage/delete app data and services hosted on the cloud. Therefore, backing up data in an isolated system is a good practice.

• Another good practice is removing unused permissions and adopting the least privilege principle.

Conclusion

Sysdig security experts also recommend enforcing a comprehensive detection and alerting system within the cloud services that run customer-facing apps. Since cloud usage has increased exponentially, enterprises must secure their infrastructure end-to-end by implementing robust security measures. This will help prevent unauthorized access and rapidly respond to attacks before any data loss or damage occurs.