Scarleteel targets AWS Fargate and Kubernetes

Researchers have spotted a threat actor dubbed Scarleteel with new advanced capabilities that now let it target the container automation tool AWS Fargate, as well as launch DDoS-as-a-Service campaigns.

The attack showed that the threat actor had solid knowledge of AWS cloud mechanics including Elastic Compute Cloud roles, lambda serverless functions and Terraform, an open-source infrastructure as code tool that is able to automate operations on infrastructures on any kind of cloud solution.

Scarleteel launches attacks against targets in the cloud, including AWS and Kubernetes environments and aims to exploit open compute services and vulnerable applications and has continued its focus on monetary gain via cryptomining and also stealing intellectual property.

Along with stealing AWS credentials, the researchers said Scarleteel executed other attacks, including targeting Kubernetes using pen testing tools.

The threat actor also downloaded and executed Pandora, a malware tied to the Mirai botnet that primarily targets IoT devices connected to the internet and is responsible for many large DDoS attacks since 2016. The researchers tie the Pandora attack to a DDoS-as-a-Service campaign, where the attacker delivers DDoS capabilities for money.

AWS Fargate is a cloud-based serverless computing product that lets organizations execute tasks without spinning up full virtual machines, and since they are serverless, they don’t have any endpoint defenses, which makes them vulnerable to credentials compromises.

Mitigations

• Container images should always come from trusted sources and constantly updated with the latest security patches.
• Unnecessary services should always be disabled so the attack surface isn’t increased.
• AWS Identity and Access Management role permissions should be carefully checked. Privileges should also be minimized, and resource limitations should be enforced.
• Multifactor authentication should be deployed for connecting to AWS accounts
• Security scanning tools should be used to identify vulnerabilities and malware in container images.
• Precise inbound and outbound policies should be deployed to limit access to only necessary tasks. AWS CloudTrail logs should be analyzed for any suspicious activity.

The SCARLETEEL actors continue to operate against targets in the cloud, including AWS and Kubernetes. They have enhanced their toolkit to include multiple new tools and a new C2 infrastructure, making detection more difficult. Their preferred method of entry is the exploitation of open compute services and vulnerable applications. There is a continued focus on monetary gain via crypto mining, but as we saw in the previous report, intellectual property is still a priority.

Defending against a threat like SCARLETEEL requires multiple layers of defense. Runtime threat detection and response is critical to understanding when an attack has occurred, but with tools like vulnerability management, CSPM, and CIEM, these attacks could be prevented. Missing any of these layers could open up an organization to a significant financial risk.