Scarleteel 2.0 could target AWS Fargate infrastructure

The new sophisticated hacking operation Scarleteel 2.0 uses unique strategies to target the latest cloud environments and infect numerous entities.

In its latest cybercriminal operations, the malware operators utilised their tool against Kubernetes containers stored on AWS to steal critical proprietary information. The hackers then used the stolen credentials to execute AWS API calls to obtain further access to a targeted company’s cloud environment. Moreover, a researcher noticed that the attackers had expanded their operations to target more cloud infrastructure for their recent attacks.

 

The Scarleteel 2.0 operators took advantage of AWS policy gaps to increase their chances of completing their campaign.

 

According to investigations, the new Scarleteel 2.0 operations include a strategy that allows the threat actors to exploit a minor error in AWS policy to escalate their privileges to admin and take over the Fargate account.

The researchers explained that the attackers exploited a single-character typo in AWS’ policy to bypass security detections. In addition, these miscreants have also abused some Jupyter Notebook containers launched in Kubernetes. The exploit enabled them to execute different attacks to steal AWS credentials.

Furthermore, new details about the operation showed new tactics and abilities. Scarleteel 2.0 utilised an information-stealing script that could steal information from a Fargate-hosted container.

Other script versions tried to exploit IMDSv2 to recover tokens that an actor could utilise to harvest AWS credentials. Additionally, there are several changes in the operation’s command-and-control domain, including the public services used to send and recover information.

The attackers also used advanced tools like Peirates, pacu, and AWS CLI to exploit Kubernetes and AWS containers for further campaigns. Lastly, the AWS CLI tool could download and execute Pandora, a variant of the Mirai botnet that could deploy DDoS attacks on cloud environments.

Organisations should deploy multiple layers of defence to remain safe since Scarleteel operators continue to upgrade their toolkits to target cloud infrastructures. Finally, experts explained that the attacker’s prioritised entry method exploits cloud services and vulnerabilities.

Therefore, users should protect their cloud environment while applying security patches to vulnerable machines.