An advanced hacking operation dubbed ‘SCARLETEEL’ targets public-facing web apps running in containers to infiltrate cloud services and steal sensitive data. SCARLETEEL was discovered by cybersecurity intelligence firm Sysdig while responding to an incident in one of their customers’ cloud environments. While the attackers deployed cryptominers in the compromised cloud environments, the hackers showed advanced expertise in AWS cloud mechanics, which they used to infiltrate further into the company’s cloud infrastructure. “During this particular attack, the attacker was able to retrieve and read more than 1 TB of information, including customer scripts, troubleshooting tools, and logging files…. The 1 TB of data also included logging files related to Terraform, which was used in the account to deploy part of the infrastructure. These Terraform files [played an important part in later steps] where the attacker tried to pivot to another AWS account,” stated Sysdig researchers in their report.
Analyst Notes
To minimize the traces left behind, the attacker attempted to disable CloudTrail logs in the compromised AWS account. Additionally, Sysdig’s report indicates that the attacker retrieved Terraform state files from the S3 buckets containing IAM user access keys and a secret key for a second AWS account. This account was eventually used for lateral movement within the organization’s cloud network.
In order to effectively address the risks introduced by cloud facing threats, organizations are highly recommended to address threats often deemed lower priority, such as crytpominers, infostealers, and malware bot loaders as these increasingly are used by threat groups to provide initial access for more disruptive attacks such as ransomware or data extortion. In addition, to secure their cloud services, organizations should:
• Keep all software up to date.
• Use IMDS v2 instead of v1, which prevents unauthorized metadata access.
• Adopt principles of least privilege on all user accounts.
• Scope read-only access on resources that may contain sensitive data like Lambda.
• Remove old and unused permissions.
• Use key management services like AWS KMS, GCP KMS, and Azure Key Vault.
https://www.bleepingcomputer.com/news/security/scarleteel-hackers-use-advanced-cloud-skills-to-steal-source-code-data/
