April 24, 2024

Mar 02, 2023Ravie LakshmananContainer Safety / Cyber Risk

Containerized Security

A classy assault marketing campaign dubbed SCARLETEEL is concentrating on containerized environments to perpetrate theft of proprietary information and software program.

“The attacker exploited a containerized workload after which leveraged it to carry out privilege escalation into an AWS account with a view to steal proprietary software program and credentials,” Sysdig said in a brand new report.

The superior cloud assault additionally entailed the deployment of crypto miner software program, which the cybersecurity firm mentioned is both an try and generate illicit earnings or a ploy to distract defenders and throw them off the path.

The preliminary an infection vector banked on exploiting a weak public-facing service in a self-managed Kubernetes cluster hosted on Amazon Net Providers (AWS).

Upon gaining a profitable foothold, an XMRig crypto miner was launched and a bash script was used to acquire credentials that may very well be used to additional burrow into the AWS cloud infrastructure and exfiltrate delicate information.

“Both crypto mining was the attacker’s preliminary purpose and the purpose modified as soon as they accessed the sufferer’s setting, or crypto mining was used as a decoy to evade the detection of knowledge exfiltration,” the corporate mentioned.

The intrusion notably additionally disabled CloudTrail logs to reduce the digital footprint, stopping Sysdig from accessing extra proof. In all, it allowed the risk actor to entry greater than 1TB of knowledge, together with buyer scripts, troubleshooting instruments, and logging recordsdata.

“In addition they tried to pivot utilizing a Terraform state file to different related AWS accounts to unfold their attain all through the group,” the corporate mentioned. This, nonetheless, proved to be unsuccessful because of lack of permissions.

The findings come weeks after Sysdig additionally detailed one other cryptojacking marketing campaign mounted by the 8220 Gang between November 2022 and January 2023 concentrating on exploitable Apache internet server and Oracle Weblogic functions.

Discovered this text attention-grabbing? Comply with us on Twitter and LinkedIn to learn extra unique content material we put up.