Full Report
In early 2023, Sysdig researchers discovered a cyber operation targeting public-facing containerized web apps running in a self-hosted K8s cluster, in order to mine for cryptocurrency and infiltrate the larger cloud environment. The operation, dubbed "SCARLETEEL", involved ret...
Analysis Summary
# Threat Actor: SCARLETEEL
## Attribution & Identity
* **Identification:** SCARLETEEL is a sophisticated threat actor first identified by Sysdig’s Threat Research Team in early 2023.
* **Aliases/Associations:** While the actor demonstrates a high level of proficiency in cloud-native environments, no formal links to known APT groups or established financial crime syndicates have been publicly confirmed. They are characterized by their advanced knowledge of AWS infrastructure and Kubernetes (K8s) internals.
## Activity Summary
* **Operation SCARLETEEL (Early 2023):** A multi-stage campaign targeting containerized workloads. The operation began with the exploitation of a public-facing web service (Jupyter Notebook) and escalated into a cloud-wide credential theft operation.
* **Objectives:** Primary motivations appear dual-faceted: initial crypto-jacking (monetization) followed by advanced data exfiltration and credential harvesting (espionage/intel gathering).
## Tactics, Techniques & Procedures
The actor demonstrates a "cloud-native" attack pattern, moving beyond simple shell scripts to complex API interactions.
* **Initial Access:** Exploitation of vulnerable public-facing web applications/containers (e.g., Jupyter Notebooks).
* **Execution:** Use of weaponized scripts (Bash/Python) to automate discovery.
* **Persistence:** Deployment of Kubernetes CronJobs and modified container images.
* **Privilege Escalation:** Harvesting AWS IAM credentials from the IMDS (Instance Metadata Service) of the underlying K8s nodes.
* **Lateral Movement:** Moving from compromised containers to the host node, then leveraging IAM roles to access other AWS services (S3, Lambda).
* **Exfiltration:** Utilizing specialized scripts to steal sensitive data (environment variables, local files) and exfiltrate via S3.
* **Evasion:** Disabling logging mechanisms and using standard AWS CLI tools to blend in with legitimate traffic.
## Targeting
* **Sectors:** Technology, Research, and organizations utilizing Cloud-Native/DevOps stacks.
* **Geography:** Global (targeting cloud infrastructure regardless of physical location).
* **Victims:** Organizations running self-hosted Kubernetes clusters with misconfigured or vulnerable public-facing web apps.
## Tools & Infrastructure
* **Malware:** Custom-built miners (XMRig variants) and sophisticated shell scripts for automated AWS credential harvesting.
* **Infrastructure:**
* **C2/Exfiltration:** 159[.]223[.]217[.]7, 109[.]123[.]240[.]84
* **Hosting:** Use of legitimate S3 buckets and Lambda functions for persistent stages.
* **Domains:** various domains associated with the exfiltration of IAM credentials (defanged: hxxp[://]109[.]123[.]240[.]84/c[.]sh).
## Implications
SCARLETEEL represents a shift in cloud threats. While they use crypto-mining as a "smokescreen" or immediate payoff, their secondary focus on data exfiltration via cloud APIs suggests a much higher level of risk. Their ability to pivot from a single container vulnerability to a full cloud account compromise indicates that traditional perimeter security is insufficient in containerized environments.
## Mitigations
* **IMDS Protection:** Enforce the use of IMDSv2 and limit hop counts to prevent credential theft from pods.
* **Least Privilege:** Implement IRSA (IAM Roles for Service Accounts) to ensure pods only have the specific permissions required, rather than inheriting node-level permissions.
* **Network Policy:** Use Kubernetes Network Policies to restrict egress traffic from pods to only known-good destinations and internal services.
* **Vulnerability Management:** Regularly scan and patch public-facing containerized applications (e.g., Jupyter, Jenkins).
* **Monitoring:** Implement runtime security (e.g., Falco) to detect anomalous shell execution within containers or unauthorized calls to the AWS Metadata service.