A complicated assault marketing campaign dubbed SCARLETEEL is concentrating on containerized environments to perpetrate theft of proprietary information and software program.
“The attacker exploited a containerized workload after which leveraged it to carry out privilege escalation into an AWS account so as to steal proprietary software program and credentials,” Sysdig stated in a brand new report.
The superior cloud assault additionally entailed the deployment of crypto miner software program, which the cybersecurity firm stated is both an try and generate illicit earnings or a ploy to distract defenders and throw them off the path.
The preliminary an infection vector banked on exploiting a weak public-facing service in a self-managed Kubernetes cluster hosted on Amazon Internet Providers (AWS).
Upon gaining a profitable foothold, an XMRig crypto miner was launched and a bash script was used to acquire credentials that may very well be used to additional burrow into the AWS cloud infrastructure and exfiltrate delicate information.
“Both crypto mining was the attacker’s preliminary purpose and the purpose modified as soon as they accessed the sufferer’s surroundings, or crypto mining was used as a decoy to evade the detection of knowledge exfiltration,” the corporate stated.
The intrusion notably additionally disabled CloudTrail logs to attenuate the digital footprint, stopping Sysdig from accessing extra proof. In all, it allowed the menace actor to entry greater than 1TB of knowledge, together with buyer scripts, troubleshooting instruments, and logging information.
Uncover the Newest Malware Evasion Techniques and Prevention Methods
Able to bust the 9 most harmful myths about file-based assaults? Be a part of our upcoming webinar and develop into a hero within the struggle in opposition to affected person zero infections and zero-day safety occasions!
RESERVE YOUR SEAT
“In addition they tried to pivot utilizing a Terraform state file to different linked AWS accounts to unfold their attain all through the group,” the corporate stated. This, nevertheless, proved to be unsuccessful on account of lack of permissions.
The findings come weeks after Sysdig additionally detailed one other cryptojacking marketing campaign mounted by the 8220 Gang between November 2022 and January 2023 concentrating on exploitable Apache net server and Oracle Weblogic functions.