SCARLETEEL hackers steal company source code and data from Amazon cloud

An advanced campaign called “SCARLETEEL” targets public web applications running in containers to infiltrate cloud services and steal sensitive data.

SCARLETEEL was discovered by a company Sysdig (specializes in cybersecurity analysis) while responding to an incident in the cloud environment of one of her clients.

The SCARLETEEL campaign started with hackers exploiting a vulnerable public service on a cluster Kuberneteshosted on Amazon Web Services (AWS). As soon as the attackers gained access to the container, they downloaded the cryptominer XMRigwhich experts believe is the bait, and a script to extract credentials from the Kubernetes module.

The stolen credentials were then used to execute APICalling AWS to ensure resiliency – This was achieved by stealing additional credentials or creating backdoor users and groups in the company’s cloud environment. These accounts were then used for further distribution in the cloud.

Chain of SCARLETEEL attacks

Depending on the configuration of the AWS cluster role, attackers can also gain access to anonymous Lambda information – functions, configurations, and access keys.

The attacker then used the Lambda functions to enumerate and extract all proprietary code and software along with the execution keys and environment variables of the Lambda functions. This allowed the hacker to find the credentials of an IAM user (a person or application that can interact with cloud platform resources) and use them for subsequent enumeration and privilege escalation steps.

This step also enumerates the Amazon S3 (Simple Storage Service, S3) buckets. Files stored in recycle bins can contain valuable data for cybercriminals, such as credentials.

During the attack, the hacker stole over 1TB of information, including client scripts, troubleshooting tools, and log files related to Terraform, which were used in the account to deploy part of the infrastructure. To cover his tracks, the attacker attempted to disable the CloudTrail logs on the compromised AWS account, which prevented an investigation into the incident.

The cybercriminal obtained Terraform state files from S3 buckets containing the IAM user’s access keys and the secret key for the second AWS account. This account was eventually used for Lateral Movement on the organization’s cloud network.

As businesses increasingly rely on cloud services to host their infrastructure and data, hackers are turning their efforts to the cloud to continue their attacks. SCARLETEEL proves that a single point of vulnerability in an organization’s cloud environment can be enough for hackers to exploit it to infiltrate the network and steal sensitive data.

Apart from proposed security measures Sysdig also recommended that a comprehensive detection and alert system be implemented to provide early warning of malicious activity by hackers, even if they evade defenses.