SCARLETEEL’s Cryptojacking Campaign Exploits AWS Fargate in an Ongoing Campaign

July 11, 2023thnCryptocurrency / Cloud Security

Cloud environments continue to be on the receiving end of an ongoing sophisticated attack campaign dubbed SCARLETEEL, with threat actors now turning their sights on Fargate Amazon Web Services (AWS).

“Cloud environments are still their main target, but the tools and techniques used have been adapted to bypass new security measures, along with more resilient and stealthy command and control architectures,” said Sysdig security researcher Alessandro Brucato in a new report. shared with The Hacker. News.

SCARLETEEL was first exposed by the cybersecurity firm in February 2023, detailing a sophisticated attack chain that led to the theft of proprietary data from AWS infrastructure and the deployment of cryptocurrency miners to profit from illegally compromised system resources.

Follow-up analysis by Cado Security uncovered potential links to a prolific cryptojacking group known as TeamTNT, although Sysdig told The Hacker News that “perhaps someone copied their methodology and attack patterns.”

Recent activity continues the threat actor’s penchant to go after AWS accounts by exploiting vulnerable public web applications with the end goal of gaining persistence, stealing intellectual property, and potentially earning up to $4,000 per day in revenue using crypto miners.

“Actors found and exploited a flaw in AWS policies that allowed them to escalate access rights to AdministratorAccess and gain control of the account, allowing them to then do what they wanted,” explained Brucato.

It all started with an adversary exploiting a JupyterLab notebook container deployed in a Kubernetes cluster, leveraging the initial foothold to conduct reconnaissance of the target’s network and collect AWS credentials to gain deeper access to the victim’s environment.

This is followed by the installation of the AWS command line tool and exploitation framework called Pace for subsequent exploits. The attack was also notable for its use of various shell scripts to retrieve AWS credentials, some of which targeted the AWS Fargate compute engine.

“The attacker was observed using an AWS client to connect to a Russian system compatible with the S3 protocol,” said Brucato, adding the SCARLETEEL actor used stealth techniques to ensure that data exfiltration events were not caught in CloudTrail logs.

Some of the other steps taken by attackers include the use of a Kubernetes Penetration Testing tool known as Peirates to exploit the container orchestration system and DDoS botnet malware called Pandoraindicates further efforts on the part of the actor to monetize the host.

“The SCARLETEEL actor continues to operate against targets in the cloud, including AWS and Kubernetes,” said Brucato. “Their preferred method of entry is the exploitation of open computing services and vulnerable applications. There is a continued focus on monetary gain through crypto mining, but (…) intellectual property is still a priority.”