Hackers Exploit Containerized Environments to Steal Proprietary Data
The advanced cloud attack also entailed the deployment of crypto miner software, which the cybersecurity company said is either an attempt to generate illicit profits or a ploy to distract defenders and throw them off the trail.
“The attacker exploited a containerized workload and then leveraged it to perform privilege escalation into an AWS account in order to steal proprietary software and credentials,” Sysdig said in a new report.
The initial infection vector banked on exploiting a vulnerable public-facing service in a self-managed Kubernetes cluster hosted on Amazon Web Services (AWS).
SCARLETEEL attacks
The SCARLETEEL attack began with the hackers exploiting a vulnerable public-facing service in a self-managed Kubernetes cluster hosted on Amazon Web Services (AWS).
Once the attackers access the container, they download an XMRig coinminer, believed to serve as a decoy, and a script to extract account credentials from the Kubernetes pod.
The stolen credentials were then used to perform AWS API calls to gain persistence by stealing further credentials or creating backdoor users and groups in the company’s cloud environment. These accounts were then used to spread further through the cloud environment.
Depending on the AWS cluster role configuration, the attackers may also gain access to Lambda information, such as functions, configurations, and access keys.

“The 1 TB of data also included logging files related to Terraform, which was used in the account to deploy part of the infrastructure. These Terraform files will play an important part in the later step where the attacker tried to pivot to another AWS account.” – Sysdig.
To minimize the traces left behind, the attacker attempted to disable CloudTrail logs in the compromised AWS account, adversely impacting Sysdig’s investigation.
However, it was evident that the attacker retrieved Terraform state files from the S3 buckets containing IAM user access keys and a secret key for a second AWS account. This account was eventually used for lateral movement within the organization’s cloud network.
Securing your cloud-based infrastructure
As the enterprise increasingly relies on cloud services to host their infrastructure and data, hackers are following along, becoming experts in APIs and management consoles to continue their attacks.
The SCARLETEEL attack proves that a single vulnerable point in an organization’s cloud environment could be enough for persistent and knowledgeable threat actors to leverage it for network infiltration and sensitive data theft.
Sysdig suggests that organizations take the following security measures to protect their cloud infrastructure from similar attacks:
- Keep all your software up to date.
- Use IMDS v2 instead of v1, which prevents unauthorized metadata access.
- Adopt principles of least privilege on all user accounts.
- Scope read-only access on resources that may contain sensitive data like Lambda.
- Remove old and unused permissions.
- Use key management services like AWS KMS, GCP KMS, and Azure Key Vault.
Sysdig also recommends implementing a comprehensive detection and alerting system to ensure that malicious activities by attackers are promptly reported, even when they evade protection measures.
The findings come weeks after Sysdig also detailed another cryptojacking campaign mounted by the 8220 Gang between November 2022 and January 2023 targeting exploitable Apache web server and Oracle Weblogic applications.
Found this article interesting then share with your friends.
For cyber security related free consultation click here