Experts believe the campaign is going to develop further, expanding attacks to other cloud providers
Pro
Image: Getty via Future
11 July 2023
Cyber criminals have been found abusing legitimate open source penetration testing tools to launch attacks on AWS-hosted Kubernetes environments.
The campaign, dubbed Scarleteel, started in February 2023 and is known for targeting cloud environments.
The latest discoveries revealed new tools and techniques to bypass security measures and execute novel intrusions.
advertisement
A typical Scarleteel attack sees attackers exploiting misconfigured AWS policies to escalate their privileges and gain account control.
Once in, the attackers target Kubernetes in order to significantly scale up the attack and deploy malware, such as cryptomining tools.
A combination of penetration testing tools was used in the attack. Once the victim’s AWS credentials had been stolen and the AWS CLI binary installed on the exploited containers, the attackers installed Pacu, an AWS exploitation framework, to reveal further vulnerabilities in the victim’s account.
The attackers also leveraged Peirates, a Kubernetes-specific penetration testing tool, to exploit the Kubernetes environment.
While cryptomining remains one of the operation’s objectives, according to researchers from the Sysdig Threat Research Team, other goals include gaining persistence and the theft of proprietary data.What has changed in the attack pattern?
Scarleteel was first noted by the team in February 2023 and the techniques in use have changed in the time since.
Michael Clark, director of threat research at Sysdig, said: “They kind ..
Support the originator by clicking the read the rest link below.