"Pernicious Permissions: How Kubernetes Cryptomining Became an AWS Cloud Data Heist"
A vulnerable Kubernetes container and weak permissions enabled an adversary to transform an opportunistic cryptojacking attack into a widespread invasion impacting intellectual property and sensitive data. The attack, dubbed "SCARLETEEL" by the cloud security company Sysdig, began with a threat actor exploiting a Kubernetes cluster, using an internal service to obtain temporary credentials, and then using those credentials to enumerate other Elastic Compute Cloud (EC2) services that had been deployed in the infrastructure of the targeted company. Ultimately, the company, which was not identified in the incident report, limited the scope of permissions for the stolen identity, therefore neutralizing the attack. Michael Clark, head of security research at Sysdig, notes that companies must be cautious when setting the controls that enable cloud resources to work with one another. The sophisticated cyberattack also demonstrates that cybercriminals are increasingly attacking cloud infrastructure. In the past, threat actors focused on rudimentary interactions with cloud services, such as the deployment of cryptojacking software. However, cloud-focused attacks are becoming more prevalent as threat actors gain a better understanding of the vulnerabilities introduced by businesses. This article continues to discuss the SCARLETEEL attack on a company's Amazon Web Services (AWS) account.