Kubernetes on AWS targeted by hackers abusing legitimate pentesting tools

Cyber criminals have been found abusing legitimate open-source penetration testing tools to launch attacks on AWS-hosted Kubernetes environments.

The campaign, dubbed SCARLETEEL, started in February 2023 and is known for targeting cloud environments.  

The latest discoveries revealed new tools and techniques to bypass security measures and execute novel intrusions. 

A typical SCARLETEEL attack sees attackers exploiting misconfigured AWS policies to escalate their privileges and gain account control.  

Once in, the attackers target Kubernetes in order to significantly scale up the attack and deploy malware, such as cryptomining tools.  

A combination of penetration testing tools was used in the attack. Once the victim’s AWS credentials had been stolen and the AWS CLI binary installed on the exploited containers, the attackers installed Pacu, an AWS exploitation framework, to reveal further vulnerabilities in the victim’s account. 

The attackers also leveraged Peirates, a Kubernetes-specific penetration testing tool, to exploit the Kubernetes environment. 

While cryptomining remains one of the operation’s objectives, according to researchers from the Sysdig Threat Research Team, other goals include gaining persistence and the theft of proprietary data. 

What has changed in the attack pattern? 

SCARLETEEL was first noted by the team in February 2023 and the techniques in use have changed in the time since.  

Michael Clark, director of threat research at Sysdig, said: “They kind of evolved their toolsets to understand modern approaches”. 

The attacker’s scripts now account for the differences. 

Although the ability to detect the presence of a Fargate-hosted container is novel, the use of the AWS CLI and Pacu on exploited containers and Peirates to further exploit Kubernetes is a significant development. 

“They use these tools to keep hopping into new environments,” Clark said. 

“So, they may end up in a Fargate [environment] because they look for all the credentials they can.” 

How were the attackers detected? 

In Sysdig’s research, Clark noted that the tools the attackers used are “noisy”, meaning when they run, their processes are often detectable by system and network monitoring tools. 

Understanding what the tools’ reconnaissance looks like is key to detecting what they’re doing and when they’re running. 

“That is really the only way to do it,” Clark said. “You obviously can’t just say ‘don’t let them in’ - that’s the answer to everything.” 

Clark also said the use of Peirates was particularly interesting. The previous attack did not use this tool, but the SCARLETEEL campaign has now expanded to look for Kubernetes and, if found, take advantage of it. 

Moving beyond AWS 

Alessandro Brucato, threat research engineer at Sysdig, said he believes that the attackers behind the campaign will continue to develop it to target other cloud providers. 

“They will try to focus on how they can make a lot less noise, because actually they can look even more like a legitimate service provider. They may try to find some edge services on some cloud providers.”