Sysdig’s Threat Research Team uncovered SCARLETEEL, a sophisticated cloud-attack operation that started in a Kubernetes pod and escalated into AWS to steal proprietary software and credentials. The operation leveraged Terraform state and AWS services to move laterally, exfiltrate data, and attempt to pivot to other accounts, with crypto-mining used as a distraction. #SCARLETEEL #Terraform #Kubernetes #AWS #IMDS #CloudTrail #Lambda #Pacu #TruffleHog #terraform.tfstate
Keypoints
- The attack began by compromising a public-facing service in a self-managed Kubernetes cluster hosted in AWS.
- The malware executed a cryptominer (miner.sh) while also enumerating credentials from IMDS v1 to gather AWS resource info and plaintext credentials in S3/Lambda environments.
- Attackers used the harvested credentials to move laterally, enumerate resources, and exfiltrate data, including proprietary software.
- CloudTrail logs were disabled to evade detection, highlighting defense-evasion capabilities tied to over-privileged permissions.
- Lambda function enumeration and Terraform state file reviews enabled discovery of hidden credentials (clear-text keys in terraform.tfstate).
- The operation extended to a second AWS account via newly acquired credentials, though permissions limited further exploration.
- Recommendations include patching, IMDSv2/IRSA adoption, restricting read-only access, monitoring stale objects, and securing Terraform state with KMS.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – The attacker gained initial access by exploiting a public-facing service in a self-managed Kubernetes cluster hosted inside an AWS cloud account. Quote: ‘The attacker gained initial access by exploiting a public-facing service in a self-managed Kubernetes cluster hosted inside an AWS cloud account.’
- [T1059.004] Unix Shell – Execution using Bash scripts to download, enumerate, and exfiltrate data. Quote: ‘the attacker launched the script miner.sh in order to run an XMRig executable, along with the miner configuration file.’
- [T1552.001] Credentials in Files – Discovery of plaintext AWS keys in Terraform state files. Quote: ‘it was possible to find both a clear-text IAM user access key and secret key in the terraform.tfstate file.’
- [T1562] Impair Defenses – Defense evasion by disabling CloudTrail logs. Quote: ‘The attacker succeeded in disabling some of the logs configured in the account because of extra permissions assigned to one of the users compromised in the previous steps.’
- [T1078] Valid Accounts – Attempted to create new IAM users/groups and bind credentials to existing IAM users; actions denied by permissions. Quote: ‘trying to create new users, groups, and bind new access keys to existing IAM users. Fortunately, all of these executions were denied because of a lack of permissions on the account the attacker was using.’
- [T1567.002] Exfiltration to Cloud Storage – Exfiltration of data via cloud storage/resource access (1 TB of information, including proprietary code). Quote: ‘The attacker was able to retrieve and read more than 1 TB of information, including customer scripts, troubleshooting tools, and logging files.’
- [T1021.001] Remote Services (AWS) – Lateral movement using AWS API calls after obtaining credentials; attempted enumeration in a second connected AWS account. Quote: ‘The attacker restarted their enumeration and information-gathering process to determine whether they could gain additional resources from inside this additional compromised account.’
Indicators of Compromise
- [IP Addresses] – Initial contact indicators observed in the case: 80.239.140.66, 45.9.148.221, 45.9.148.121, 45.9.249.58. These were identified as hosts involved in the operation.
- [Files] – Key files associated with the payload and exfiltration: miner.sh, config_background.json, terraform.tfstate, and 2 more files related to Lambda environments (e.g., Lambda code and environment-variable artifacts).
- [Endpoints/Metadata] – Internal AWS metadata endpoints used to harvest credentials: http://169.254.169.254/latest/meta-data/iam/security-credentials/ and http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance.
- [Credentials in Files] – Plaintext AWS credentials found in terraform.tfstate (AccessKeyId and SecretAccessKey) used to access a second AWS account.
- [Cloud Service Artifacts] – Lambda function names and code locations enumerated for access to proprietary software (via AWS Lambda API calls).
Read more: https://sysdig.com/blog/cloud-breach-terraform-data-theft/