In early 2023, Sysdig researchers discovered a cyber operation targeting public-facing containerized web apps running in a self-hosted K8s cluster, in order to mine for cryptocurrency and infiltrate the larger cloud environment. The operation, dubbed "SCARLETEEL", involved retrieving credentials for a cluster IAM role and assuming it to enumerate resources, exfiltrate S3 bucket data and steal the source code of Lambda functions.
The observed incident involved an unknown threat actor targeting a vulnerable public-facing service in a self-managed Kubernetes cluster hosted on Amazon Web Services (AWS). While the researchers did not disclose which service was compromised, they went on to describe how the actor gained execution permissions on the container and ran XMRig to mine cryptocurrency. Additionally, the actor queried the Instance Metadata Service (IMDS) to extract credentials for a cluster IAM role.