Kubernetes on AWS targeted by hackers abusing legitimate pentesting tools

Kubernetes on AWS hack: a picture of a cloud on a 3D rendering of computer chip in balck and neon blue colouring
(Image credit: Getty Images)

Cyber criminals have been found abusing legitimate open-source penetration testing tools to launch attacks on AWS-hosted Kubernetes environments.

The campaign, dubbed SCARLETEEL, started in February 2023 and is known for targeting cloud environments.  

The latest discoveries revealed new tools and techniques to bypass security measures and execute novel intrusions. 

A typical SCARLETEEL attack sees attackers exploiting misconfigured AWS policies to escalate their privileges and gain account control.  

RELATED RESOURCE

Image of warehouse with multiple shelves of containers and pick truck

(Image credit: IBM)

Automating application-driven container elasticity

Learn how to operationalize speed to market while assuring application performance

DOWNLOAD FOR FREE

Once in, the attackers target Kubernetes in order to significantly scale up the attack and deploy malware, such as cryptomining tools.  

A combination of penetration testing tools was used in the attack. Once the victim’s AWS credentials had been stolen and the AWS CLI binary installed on the exploited containers, the attackers installed Pacu, an AWS exploitation framework, to reveal further vulnerabilities in the victim’s account. 

The attackers also leveraged Peirates, a Kubernetes-specific penetration testing tool, to exploit the Kubernetes environment. 

While cryptomining remains one of the operation’s objectives, according to researchers from the Sysdig Threat Research Team, other goals include gaining persistence and the theft of proprietary data. 

What has changed in the attack pattern? 

SCARLETEEL was first noted by the team in February 2023 and the techniques in use have changed in the time since.  

Michael Clark, director of threat research at Sysdig, said: “They kind of evolved their toolsets to understand modern approaches”. 

The attacker’s scripts now account for the differences. 

Although the ability to detect the presence of a Fargate-hosted container is novel, the use of the AWS CLI and Pacu on exploited containers and Peirates to further exploit Kubernetes is a significant development. 

“They use these tools to keep hopping into new environments,” Clark said. 

“So, they may end up in a Fargate [environment] because they look for all the credentials they can.” 

How were the attackers detected? 

In Sysdig’s research, Clark noted that the tools the attackers used are “noisy”, meaning when they run, their processes are often detectable by system and network monitoring tools

Understanding what the tools’ reconnaissance looks like is key to detecting what they’re doing and when they’re running. 

“That is really the only way to do it,” Clark said. “You obviously can’t just say ‘don’t let them in’ - that’s the answer to everything.” 

Clark also said the use of Peirates was particularly interesting. The previous attack did not use this tool, but the SCARLETEEL campaign has now expanded to look for Kubernetes and, if found, take advantage of it. 

Moving beyond AWS 

Alessandro Brucato, threat research engineer at Sysdig, said he believes that the attackers behind the campaign will continue to develop it to target other cloud providers. 

“They will try to focus on how they can make a lot less noise, because actually they can look even more like a legitimate service provider. They may try to find some edge services on some cloud providers.” 

Richard Speed
Staff Writer

Richard Speed is an expert in databases, DevOps and IT regulations and governance. He was previously a Staff Writer for ITProCloudPro and ChannelPro, before going freelance. He first joined Future in 2023 having worked as a reporter for The Register. He has also attended numerous domestic and international events, including Microsoft's Build and Ignite conferences and both US and EU KubeCons.

Prior to joining The Register, he spent a number of years working in IT in the pharmaceutical and financial sectors.