• Wed. Oct 25th, 2023

Hackers From “ScarletEel” Infect the AWS Cloud

Avatar photo

ByEsme Greene

Aug 11, 2023
Hackers From "ScarletEel" Infect the AWS Cloud
Esme Greene
Latest posts by Esme Greene (see all)

ScarletEel, a criminal organization, has been seen sneaking into Amazon Web Services (AWS) to engage in a number of nefarious actions, such as stealing user information and proprietary data, installing crypto-currency mining software, and launching distributed denial-of-service (DDoS) assaults. 

The team has a high degree of expertise with AWS technologies, allowing them to effectively explore cloud settings and take use of native capability. In order to avoid cloud security detection systems and target the AWS Fargate computing engine, ScarletEel has also changed its strategies. 

In addition, they just added DDoS-as-a-service to their toolkit of exploitation methods. ScarletEel has improved its ability to comprehend target surroundings, attack vulnerabilities, and get beyond security barriers, as reported by threat research company Sysdig.

Utilizing the Whole Animal

To steal AWS login information, ScarletEel targeted Jupyter notebook containers in a Kubernetes cluster. rather than using conventional tools like curl and wget, they secretly exfiltrated data using built-in shell commands. The attackers used the AWS and Kubernetes pentesting tools Pacu and Peirates to find possibilities for privilege escalation in the victim’s account. 

ScarletEel avoided logging in the victim’s AWS CloudTrail logs by using a Russian server that supports the AWS protocol to mask their activities. Their main objectives were to commit cryptojacking and steal proprietary software. They dropped 42 crypto miner instances during their most recent campaign, however they were swiftly found and terminated. 

In an effort to utilize other hacked accounts, the hackers tried, but they lacked the requisite rights. The daily benefits from crypto mining would have been worth around $4,000. Additionally, ScarletEel deployed the “Pandora” variant of the Mirai botnet virus, possibly as part of a different DDoS-as-a-service campaign.

Defense Impeded by Expertise Gap in Fargate

Because of ScarletEel’s experience working in cloud settings, which extends into AWS Fargate, the shortcomings of traditional cloud security procedures are made clear. ScarletEel’s recent action made Fargate, which is frequently disregarded as a component of the assault surface, a target. 

The fact that the attackers were able to get Fargate credentials shows that they are conscious of unexplored possibilities. It is essential to deploy safeguards and efficient runtime security to guard against complex attacks like ScarletEel. Both cloud infrastructure entitlement management (CIEM) and cloud security posture management (CSPM) are underlined as important technologies. 

Avatar photo

Esme Greene

Esme brings a wealth of knowledge and experience to our website, specializing in all aspects of DarkWeb security. With a deep understanding of the intricate workings of the DarkWeb and its associated cybersecurity risks, Esme curates insightful and informative content for our readers.