SCARLETEEL 2.0: Advanced Cryptojacking Campaign Targets AWS Fargate

VTA-00444 – SCARLETEEL 2.0: Advanced Cryptojacking Campaign Targets AWS Fargate

SCARLETEEL was first discovered in February 2023 and involves a sophisticated attack chain that results in the theft of proprietary data from AWS infrastructure and the deployment of cryptocurrency miners to illegally profit from compromised systems. There are potential links to a cryptojacking group known as TeamTNT, although it is unclear if someone is copying their methodology.

The attackers exploit JupyterLab Notebook containers in a Kubernetes cluster to gain initial access and then conduct reconnaissance and gather AWS credentials to gain deeper access into the victim’s environment. They use the AWS command line tool and an exploitation framework called Pacu for further exploitation. Shell scripts are used to retrieve AWS credentials, including targeting AWS Fargate instances.

The attackers connect to Russian systems compatible with the S3 protocol using the AWS client, employing stealthy techniques to avoid detection in CloudTrail logs. They also utilize tools like Peirates for Kubernetes penetration testing and a DDoS botnet malware called Pandora to monetize infected hosts.

The primary objectives of the SCARLETEEL attackers are monetary gain through crypto mining and the theft of intellectual property. They continue to target AWS and Kubernetes environments, focusing on exploiting open compute services and vulnerable applications.

Severity:
Medium

Attack Surfaces:
Cloud Service, Endpoint OS, Server OS, Web Application, Web Browser

Tactics:
Credential Access, Execution, Initial Access, Privilege Escalation, Reconnaissance

Techniques:
T1102 – Web Service,
T1003 – OS Credential Dumping,
T1525 – Implant Internal Image,
T1176 – Browser Extensions,
T1134 – Access Token Manipulation,
T1547 – Boot or Logon Autostart Execution,
T1059 – Command and Scripting Interpreter,
T1498 – Network Denial of Service

References:
https://sysdig.com/blog/scarleteel-2-0/

SuperPRO’s Threat Countermeasures Procedures: 
1. Employ anti-cryptomining extensions.
2. Implement ad-blocking mechanisms to mitigate the risk of encountering malicious advertisements.
3. Exercise caution when verifying wallet addresses.
4. Strengthen security with robust, unique passwords and multi-factor authentication (MFA).
5. Leverage comprehensive security tools such as Vulnerability Management, CSPM, and CIEM.

Contributed by:  Varrumen

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>