Scarleteel, an advanced hacking operation discovered by cybersecurity intelligence firm Sysdig in February, has entered phase two with evolved infection and exfiltration tactics.
In its most recent activities, as noted by Sysdig research, the operation was found targeting cloud environments with tools and techniques adapted to bypass new security measures, along with a more resilient and stealthy command and control architecture.
“The combination of automation and manual review of the collected data makes this attacker a more dangerous threat,” Sysdig report said. “It isn’t just nuisance malware, like a crypto miner is often thought of, as they are looking at as much of the target environment as they can.”
Recent Scarleteel activities have targeted environments like AWS Fargate and Kubernetes, indicating a clear evolution from just crypto mining to further exploits such as stealing intellectual properties.
Minor policy mistake opens up Fargate, Kubernetes
In their recent attack, Scarleteel was seen exploiting a minor mistake in AWS policy to escalate privileges to administrator access and gain control over the Fargate account. It was seen further targeting Kubernetes through this hack.
“The customer made an error that allowed the attackers to bypass one of their policies because of a single character typo,” said Alessandro Brucato, threat research engineer at Sysdig. “Specifically, this policy prevented attackers from taking over every user containing “admin” in their username. But the field used in the policy is case-sensitive.”