#Cybersecurity#vulnerability#malware#security#software
  • Home
  • SCARLETEEL Cryptojacking Campaign Exploiting AWS Fargate in Ongoing Campaign

SCARLETEEL Cryptojacking Campaign Exploiting AWS Fargate in Ongoing Campaign

Author : ArmCoding
12-07-2023
Share
SCARLETEEL Cryptojacking Campaign Exploiting AWS Fargate in Ongoing Campaign

Cloud environments continue to be at the receiving end of an ongoing advanced attack campaign dubbed SCARLETEEL, with the threat actors now setting their sights on Amazon Web Services (AWS) Fargate.

SCARLETEEL was first exposed by the cybersecurity company in February 2023, detailing a sophisticated attack chain that culminated in the theft of proprietary data from AWS infrastructure and the deployment of cryptocurrency miners to profit off the compromised systems’ resources illegally.

A follow-up analysis by Cado Security uncovered potential links to a prolific cryptojacking group known as TeamTNT, although Sysdig told The Hacker News that it “could be someone copying their methodology and attack patterns.”

The latest activity continues the threat actor’s penchant for going after AWS accounts by exploiting vulnerable public-facing web applications with an ultimate aim to gain persistence, steal intellectual property, and potentially generate revenue to the tune of $4,000 per day using crypto miners.

SCARLETEEL Attackers

It all begins with the adversary exploiting JupyterLab Notebook containers deployed in a Kubernetes cluster, leveraging the initial foothold to conduct reconnaissance of the target network and gather AWS credentials to obtain deeper access into the victim’s environment.

This is followed by the installation of the AWS command line tool and an exploitation framework called Pacu for subsequent exploitation. The attack also stands out for its use of various shell scripts to retrieve AWS credentials, some of which target AWS Fargate compute engine instances.

Some of the other steps taken by the attacker include the use of a Kubernetes Penetration Testing tool known as Peirates to exploit the container orchestration system and a DDoS botnet malware called Pandora, indicating further attempts on part of the actor to monetize the infected hosts.

“The SCARLETEEL actors continue to operate against targets in the cloud, including AWS and Kubernetes,” Brucato said.

“Their preferred method of entry is exploitation of open compute services and vulnerable applications. There is a continued focus on monetary gain via crypto mining, but […] intellectual property is still a priority.”

 

Source:  https://thehackernews.com/

 

#Crime#Cybersecurity#Hacker#malware#Microsoft#Network#security#software#vulnerability
CISA Alerts Federal Agencies to Patch Actively Exploited Linux Kernel Flaw
CISA Alerts Federal Agencies to Patch Actively Exploited Linux Kernel Flaw
  • 31-05-2024
Researchers Uncover Active Exploitation of WordPress Plugin Vulnerabilities
Researchers Uncover Active Exploitation of WordPress Plugin Vulnerabilities
  • 31-05-2024
BreachForums Returns Just Weeks After FBI Seizure – Honeypot or Blunder?
BreachForums Returns Just Weeks After FBI Seizure – Honeypot or Blunder?
  • 30-05-2024
Okta Warns of Credential Stuffing Attacks Targeting Customer Identity Cloud
Okta Warns of Credential Stuffing Attacks Targeting Customer Identity Cloud
  • 30-05-2024
WordPress Plugin Exploited to Steal Credit Card Data from E-commerce Sites
WordPress Plugin Exploited to Steal Credit Card Data from E-commerce Sites
  • 29-05-2024
TP-Link Gaming Router Vulnerability Exposes Users to Remote Code Attacks
TP-Link Gaming Router Vulnerability Exposes Users to Remote Code Attacks
  • 29-05-2024
4th Zero-Day Exploit Discovered in May 2024
4th Zero-Day Exploit Discovered in May 2024
  • 27-05-2024
Beware: These Fake Antivirus Sites Spreading Android and Windows Malware
Beware: These Fake Antivirus Sites Spreading Android and Windows Malware
  • 27-05-2024
CISA Warns of Actively Exploited Apache Flink Security Vulnerability
CISA Warns of Actively Exploited Apache Flink Security Vulnerability
  • 24-05-2024