Researchers have observed the financially motivated threat actor ScarletEel infiltrating Amazon Web Services (AWS) to steal credentials and intellectual property, plant crypto mining software, perform distributed denial-of-service (DDoS) attacks, and more.
The threat actor was first revealed in a February blog post from cloud security firm Sysdig. The group is very clearly savvy with AWS tools, injecting itself into a cloud environment and using native AWS functionality to move laterally with ease. And with the right kind of access, it is known to perform a double whammy: planting cryptomining software while also stealing intellectual property.
ScarletEel also continues to refine its tactics, according to the latest analysis from the firm — evading cloud security detection mechanisms and reaching into the little-touched AWS Fargate compute engine. And it has expanded its arsenal by adding DDoS-as-a-service to its list of exploitation techniques.
“So, compared to their prior activity, we see that they’re more aware of the victim environment, and they enhanced their abilities in terms of where to go, how to exploit it, and how to evade the defensive security measures that the customers have already begun to implement,” says Alessandro Brucato, threat research engineer for Sysdig.
Using Every Part of the Animal
ScarletEel began its latest intrusion by exploiting Jupyter notebook containers in a Kubernetes cluster. Then the attackers ran scripts to look for AWS credentials they could send back to their command-and-control (C2) server. Instead of using command line tools, the scripts used built-in shell commands. “This is a more stealthy way to exfiltrate data as curl and wget are not used, which many tools specifically monitor for,” the researchers pointed out.
ScarletEel also utilized Pacu, an open source pentesting tool for AWS, to reveal opportunities for privilege escalation in the victim’s account. In parallel it used Peirates, an equivalent tool for exploring and exploiting a victim’s Kubernetes environment.
To mask their activity, the hackers came up with a clever defense mechanism.
“Instead of dealing with AWS directly, they were actually using a Russian server that supports the AWS protocol,” explains Michael Clark, director of threat research for Sysdig. Living off the land with native AWS commands masked the maliciousness of the activity. Meanwhile, it wasn’t logged to the victim’s AWS CloudTrail logs, because it all happened on the Russian site.
As Sysdig noted in February, ScarletEel’s primary aims are to steal proprietary software and perform cryptojacking.
In its most recent campaign, the hackers dropped 42 instances of cryptominers via a compromised account. That made enough noise that they were quickly detected and snuffed out, but the attackers weren’t spooked. Even after being caught, they attempted to use other new and compromised accounts, but failed due to a lack of privileges.
The researchers estimated that, if the attack were allowed to continue unabated, it would have returned about $4,000 worth of cryptomining rewards daily.
On top of IP theft and cryptojacking, the group also planted malware belonging to the Mirai botnet family called “Pandora.” The researchers speculated that the attackers would use Pandora-infected devices as part of a separate, wider DDoS-as-a-service campaign.
Lack of Fargate Expertise Impedes Defense
Run-of-the-mill cloud security can fall short against an attacker so comfortable in these environments. For example, in its most recent activity, ScarletEel’s enhanced powers allowed it to reach into Fargate, AWS’s platform for running serverless containers.
Fargate is largely uncharted territory for hackers and defenders alike since, Clark explains, it “isn’t often publicly accessible. It’s used for a lot of back-end and internal purposes, and that means people don’t really think of it as part of their attack surface.”
He adds, “But like we saw in this attack, they ended up on the Fargate system, and they grabbed its credentials. So they’re definitely aware of the opportunities there, and it’s only a matter of time before they get on it.”
To harden against an entity like ScarletEel, Brucato explains, “you first have to implement some measures to prevent attackers from entering your environment. But if they manage to do it anyway — because now they’re getting more and more sophisticated — you also have to implement effective runtime security.” Clark emphasizes the value of effective cloud security posture management (CSPM) and cloud infrastructure entitlement management (CIEM).
“It’s not enough to be protected in one way because the attackers today are really aware,” Brucato concludes. “They can exploit any detail.”