
SCARLETEEL is an attack campaign that is targeting containerized environments in order to steal proprietary data and software. The initial infection vector for this campaign is exploiting a vulnerable public-facing service in a self-managed Kubernetes cluster that is hosted on Amazon Web Services (AWS).
Once the attacker has gained a foothold, they will launch a crypto miner and use a bash script to obtain credentials that can be used to further burrow into the AWS cloud infrastructure and exfiltrate sensitive data. This intrusion notably also disables CloudTrail logs to minimize the digital footprint, preventing Sysdig from accessing additional evidence.
In all, it allowed the threat actor to access more than 1TB of data, including customer scripts, troubleshooting tools, and logging files.