Scarleteel, a threat group first reported on in February, has many new advanced capabilities that now let it target the container automation tool AWS Fargate, as well as launch DDoS-as-a-Service campaigns.
In a blog post July 11, the Sysdig Threat Research Team said Scarleteel continues to launch attacks against targets in the cloud, including AWS and Kubernetes environments. The group aims to exploit open compute services and vulnerable applications and has continued its focus on monetary gain via cryptomining and also stealing intellectual property.
The researchers also pointed out that the Scarleteel was observed using an AWS client to connect to Russian systems compatible with Amazon's S3 protocol.
Along with stealing AWS credentials, the researchers said Scarleteel executed other attacks, including targeting Kubernetes. For example, they leveraged the Kubernetes pen testing tool peirates to further exploit Kubernetes environments.
The threat actor also downloaded and executed Pandora, a malware tied to the Mirai botnet that primarily targets IoT devices connected to the internet and is responsible for many large DDoS attacks since 2016. The researchers tie the Pandora attack to a DDoS-as-a-Service campaign, where the attacker delivers DDoS capabilities for money.
AWS now offers Fargate as a cloud-based serverless computing product that lets organizations execute tasks without spinning up full virtual machines, explained John Bambenek, principal threat hunter at Netenrich. Bambenek said unfortunately, serverless applications by definition do not have endpoint defenses and how to secure them properly has opened up an entirely new area.
“A simple, yet costly attack is to compromise credentials to the cloud account and spin up resources to mine cryptocurrency,” said Bambenek. “Since the attacker doesn’t pay the bill, the attack is 100% profitable.”
Mike Parkin, senior technical engineer at Vulcan Cyber, said while security pros should expect more security from Fargate than with a typical virtual server deployment, threat actors are constantly improving their tools and techniques.
“This means they often find ways to bypass new security measures,” said Parkin. “In this case, the attackers were able to leverage existing AWS functionality to ‘live-off-the-land,’ and they abused otherwise legitimate penetration testing tools to further their aims. The interesting part is their apparent use of a Russian server that supports the AWS protocols to mask their activity. Another takeaway is their use of compromised accounts, which just reinforces the need for more robust authentication.”