SCARLETEEL hackers continue to attack cloud environments, unwilling to change the vector of their activities. Now attackers are targeting Fargateone of the services Amazon Web Services (AWS).

“Cloud environments are still their primary target, but the tools and methods they use have adapted to bypass new security measures and are more resilient and invisible,” he said. recent report Alessandro Brucato, security researcher from the company Sysdig.

Malicious operation SCARLETEEL for the first time was disclosed by Sysdig in February 2023. Then they described a complex chain of attacks that ended with the theft of confidential data from the AWS infrastructure and the deployment of cryptominers to illegally use the resources of infected systems.

March Analysis companies Cado Security identified possible links between SCARLETEEL and famous by the TeamTNT cryptojacking group, although Sysdig reported that someone could simply copy their methodology and attack models.

SCARLETEEL’s latest identified activity continues the attacker’s fascination with AWS accounts, which they attack through vulnerable web applications in order to gain permanent access, steal intellectual property, and potentially earn up to $4,000 a day using cryptominers exploiting Amazon’s high-performance servers.

“The attackers discovered and exploited a bug in AWS policy that allowed them to escalate their privileges to administrator access and take full control of the account,” Brucato explained.

The attack chain starts with hackers exploiting containers Jupyter Notebookdeployed in the cluster Kubernetes, using the initial access for reconnaissance of the target network. Along the way, attackers collect AWS credentials to gain deeper access to the victim’s environment.

This is followed by installation of the AWS command line and framework Pacu for subsequent attacks. The attack also stands out for its use of various scripts to extract AWS credentials, some of which target instances of the AWS Fargate compute engine.

Other steps taken by the attackers include using a Kubernetes penetration testing tool called Peirates to exploit the container management system, as well as malware DDoS–botnet called Pandora, indicating further attempts by cybercriminals to monetize the hacked host.

“SCARLETEEL actors continue to act against targets in the cloud, including AWS and Kubernetes. Their preferred entry method is to exploit open computing services and vulnerable applications. They still focus on making a profit through cryptomining, but their priority is still the theft of victims’ intellectual property, ”concluded the Sysdig expert.