The Rise of Cyberattacks: ScarletEel Hackers Breach AWS Cloud Security

Cybersecurity: ScarletEel Exploits Amazon Web Services for Financial Gain

Overview

Researchers have recently discovered the financially motivated threat actor ScarletEel infiltrating Amazon Web Services (AWS) to carry out various cyber attacks. ScarletEel has demonstrated a high level of expertise in AWS tools, allowing it to easily move within cloud environments and evade security measures. The threat actor’s tactics continue to evolve, with its most recent analysis revealing its ability to infiltrate the AWS Fargate compute engine and carry out distributed denial-of-service (DDoS) attacks. The group’s primary objectives are stealing intellectual property and conducting cryptomining activities.

ScarletEel‘s Attack Methods

ScarletEel initiates its incursions by exploiting Jupyter notebook containers in Kubernetes clusters. Utilizing built-in shell commands instead of traditional command-line tools, the hackers exfiltrate data stealthily, avoiding detection by security monitoring tools. The group also employs open source pentesting tools such as Pacu for AWS and Peirates for Kubernetes to identify opportunities for privilege escalation within a victim’s account. To conceal their activities, ScarletEel cleverly employs a Russian server supporting the AWS protocol, allowing them to work indirectly with AWS and avoid logging in the victim’s AWS CloudTrail logs.

Cryptomining and Intellectual Property Theft

ScarletEel‘s primary objectives are stealing proprietary software and conducting cryptomining operations. In its most recent campaign, the group dropped 42 instances of cryptominers through a compromised account. Although detected and thwarted, ScarletEel remained undeterred, attempting to use new and compromised accounts but failing due to a lack of privileges. Researchers estimate that if the attack had continued unhindered, it could have generated around $4,000 worth of cryptomining rewards daily. In addition to these activities, the group planted “Pandora,” a Mirai botnet malware, indicating the potential for a separate DDoS-as-a-service campaign utilizing infected devices.

Challenges of Defending Against ScarletEel

Traditional cloud security measures are insufficient against an adversary as proficient as ScarletEel. The group’s recent activities have highlighted its capability to breach the AWS Fargate serverless container platform, an area often overlooked as part of an enterprise’s attack surface. The lack of expertise in securing Fargate environments leaves organizations vulnerable to such cyber threats. To effectively combat ScarletEel and similar threats, security experts emphasize the importance of implementing preventive measures to prevent initial entry into the environment. Additionally, organizations must implement runtime security measures to detect and respond to attacks that manage to breach initial defenses.

Recommendations and Conclusion

To enhance their cybersecurity posture, organizations dealing with AWS should focus on two key areas: cloud security posture management (CSPM) and cloud infrastructure entitlement management (CIEM). CSPM ensures that an organization’s AWS environment aligns with cybersecurity best practices and addresses any vulnerabilities. CIEM enables organizations to maintain control over their AWS accounts, ensuring appropriate levels of access and mitigating the risk of privilege escalation. It is essential to understand that cyber threats are continuously evolving, and attackers will exploit any opportunity available to them. Hence, organizations must remain vigilant, stay informed about emerging threats, and invest in the necessary security measures to protect their digital assets and customer data.