A sophisticated attack campaign called scarlet It targets containerized environments to carry out its own data and software theft.
“Attackers exploited containerized workloads and used them to perform privilege escalation to AWS accounts and steal their own software and credentials,” Sysdig said. Said in a new report.
Advanced cloud attacks also required the deployment of cryptocurrency miner software. This, according to cybersecurity firms, is an attempt to generate illicit profits or a ploy to distract defenders and get them off track.
The original infection vector was by exploiting a vulnerable service exposed on a self-managed Kubernetes cluster hosted on Amazon Web Services (AWS).
Upon gaining a successful foothold, the XMRig crypto miner was launched and credentials were obtained using a bash script. These credentials can be used to further infiltrate your AWS cloud infrastructure and exfiltrate sensitive data.
“Either cryptocurrency mining was the attacker’s initial goal and that goal changed after gaining access to the victim’s environment, or cryptocurrency mining was used as a decoy to evade data exfiltration detection. ” said the company.
Intrusions were also significantly neutralized CloudTrail logs Minimize your digital footprint and keep Sysdig from accessing additional evidence. Overall, the attackers had access to over 1 TB of data, including customer scripts, troubleshooting tools, and log files.
“They also used Terraform state files to pivot to other connected AWS accounts to try to reach across the organization,” the company said. However, this turned out to be unsuccessful due to lack of permissions.
Findings will also come out weeks after Sysdig detailed Another cryptojacking campaign staged by the 8220 gang from November 2022 to January 2023 targeted exploitable Apache web servers and Oracle Weblogic applications.
