Pernicious Permissions: How Kubernetes Cryptomining Became an AWS Cloud Data Heist

  /     /     /  
Publicated : 23/11/2024   Category : security


Pernicious Permissions: How Kubernetes Cryptomining Became an AWS Cloud Data Heist


The opportunistic SCARLETEEL attack on a firms Amazon Web Services account turns into targeted data theft after the intruder uses an overpermissioned service to jump into cloud system.



A vulnerable Kubernetes container and lax permissions allowed an attacker to turn a opportunistic cryptojacking attack into a wide-ranging intrusion that targeted intellectual property and sensitive data.
The attack, which cloud-security firm Sysdig dubbed SCARLETEEL, started with a threat actor exploiting a Kubernetes cluster, using an internal service to gain temporary credentials, and then used those credentials to enumerate other Elastic Compute Cloud (EC2) services that had been deployed in the targeted companys infrastructure. In the end, the company — which was not named in the incident report published today — had properly limited the scope of permissions for the stolen identity, which blunted the attack.
The incident, however, underscores that companies need to be careful
when configuring the controls
that allow cloud resources to interact with each other, says Michael Clark, director of threat research at Sysdig.
Having EC2 roles being able to access other resources can be common, though usually it is tightly scoped to prevent incidents like this one, he says. Its more about understanding how misconfigurations like this can combine with other issues leading to a larger breach.
The sophisticated cyberattack also shows that attackers are increasingly targeting cloud infrastructure in better ways. In the past, threat actors have focused on rudimentary interaction with cloud services, such as deploying cryptojacking software, but as they understand the vulnerabilities introduced by businesses in their own environments, cloud-focused attacks are becoming more popular.
In fact, observed cloud exploitation cases nearly doubled in 2022, while the number of incidents where threat actors interacted with cloud resources nearly tripled, cybersecurity services firm CrowdStrike
stated in its latest annual Global Threat Report
published on Feb. 28.
It took a while for them to figure out how to operate in the cloud, says Adam Meyers, head of intelligence at CrowdStrike. Organizations really need to be taking a hard look at their cloud security, because the cloud comes secure out of the box, but as people start to operate on it and change it, they make it less secure.
The attacker compromised the targets cloud infrastructure through a vulnerable Internet-exposed service that allowed access to
a Kubernetes pod
, a technology used to manage and deploy containerized applications. Once inside the cluster, the attacker used the access to deploy containers with cryptojacking software, essentially stealing processing capacity from the victims cloud infrastructure to mine for cryptocurrency.
This is a common practice in automated container threats, Sysdig researchers
stated in their analysis
, adding that the attackers then exploited that role to do enumeration in the cloud, search for sensitive information, and steal proprietary software.
The attackers had knowledge of how to move through the AWS cloud, including EC2 services, connecting to Lambda serverless functions, and using the continuous integration and continuous deployment (CI/CD) service known as Terraform. Because Terraform often saves the state of its pipeline to Simple Storage Service (S3) buckets, the attacker was able to retrieve those files and find at least one more additional credential in the plaintext data.
The second identity, however, had limited permissions, stopping the attackers lateral movement, Sysdig stated in its analysis. Meanwhile, the attackers attempts to enumerate users and cloud infrastructure led to detection, Clark says.
It was caught by abnormal amounts of AWS actions being taken, especially from roles that shouldnt be making those types of requests, he says. There is a threat intelligence aspect [too] — some of the IP addresses, which were involved, have been associated with malicious activity in the past.
The takeaways of the attack? For one, companies need to ensure that they have good visibility into the operation and telemetry of their cloud infrastructure. In addition, limiting access — even assigning read-only access to specific cloud resources — can make all the difference in stopping an attack while in progress. The more attackers hammer at resources using stolen identities, the greater chance of detecting them, according to Sysdig.
First, zero trust and the principle of least privilege are important and if you implement them, you will reduce the likelihood of compromise, the researchers wrote. Second, strong detections and alerts should help you catch these activities before an attacker gets too deep.
Clark also points out that 
multifactor authentication (MFA)
technologies will likely not make a great deal of difference in blunting cloud infrastructure attacks, since most of the cloud identities that attackers take advantage of are machine identities — so, alternate protections need to be put into place.
MFA may have been helpful for the other involved accounts to prevent their access, Clark says, but these were internal accounts made for automation purposes rather than ones that were expected to be logged into by a person.

Last News

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Pernicious Permissions: How Kubernetes Cryptomining Became an AWS Cloud Data Heist