New SCARLETEEL hacking operation detailed

BleepingComputer reports that public-facing web apps are being targeted by the novel sophisticated hacking operation SCARLETEEL to compromise cloud services and facilitate data exfiltration efforts. After targeting a vulnerable public-facing service within a self-managed Amazon Web Services-hosted Kubernetes cluster, SCARLETEEL proceeds to download an XMRig coinminer and an account credential-extracting script, with the stolen credentials leveraged to achieve persistence, according to a Sysdig report. Various Lambda functions accessible to attackers are then used for proprietary code and software retrieval, as well as S3 bucket enumeration. "During this particular attack, the attacker was able to retrieve and read more than 1 TB of information, including customer scripts, troubleshooting tools, and logging files," said Sysdig, which added that Terraform-related files valuable in further AWS account compromise were included in the stolen data. Such an attack should prompt organizations to ensure usage of up-to-date software, as well as the utilization of key management services, Sysdig added.