A new advanced hacking operation, dubbed SCARLETEEL, has been found targeting Kubernetes hosted on AWS to steal sensitive proprietary data. However, cybercriminals camouflage their campaigns as cryptojacking operations.
Stealing data through advanced cloud skills
According to Sysdig, the attack begins with the hackers exploiting a vulnerable public-facing service in a self-managed Kubernetes cluster hosted on AWS.
- Once the attackers gain privilege escalation to the container, they download an XMRig coinminer and a script to extract account credentials from the Kubernetes pod.
- The coinminer merely serves as a decoy, wherein attackers perform advanced maneuvers in AWS cloud mechanics, which they used to burrow further into the company’s cloud infrastructure.
- Attackers use the stolen credentials to perform AWS API calls to gain persistence by stealing further credentials or creating backdoors in the company’s cloud environment.
- These backdoor accounts are used to spread further through the cloud environment.