CyberWire Daily - AMBERSQUID hides in the depths. [Research Saturday]
Episode Date: October 21, 2023Sysdig's Alessandro Brucato and Michael Clark join Dave to discuss their work on "AWS's Hidden Threat: AMBERSQUID Cloud-Native Cryptojacking Operation." Attackers are targeting what are typically cons...idered secure AWS services, like AWS Fargate and Amazon SageMaker. This means that defenders generally aren’t as concerned with their security from end-to-end. The research states "The AMBERSQUID operation was able to exploit cloud services without triggering the AWS requirement for approval of more resources, as would be the case if they only spammed EC2 instances." This poses additional challenges targeting multiple services since it requires finding and killing all miners in each exploited service. The research can be found here: AWS’s Hidden Threat: AMBERSQUID Cloud-Native Cryptojacking Operation Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWires Research Saturday.
I'm Dave Bittner, and this is our weekly conversation
with researchers and analysts tracking down the threats and vulnerabilities,
solving some of the hard problems,
and protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
One of our research projects is related to the analysis of Docker images
that are pushed and updated on Docker Hub every day.
Our guests today are Alessandro Bruccato and Michael Clark from Sysdig.
The research we're discussing today is titled AWS's Hidden Threat,
AmberSquid Cloud-Native Crypto-Jacking Operation.
Quite recently, one of those images actually caught our attention.
That's Alessandro Brucato. Because we suddenly found that it was really interesting, as we delved into it,
we discovered what we then called this AmberScript operation. And what that image was about
was actually to run a set of scripts that use some given AWS credentials. And what these crypts do is to spin up a lot of resources inside the victims' AWS environment.
And these resources are spread among different services in multiple regions.
The malicious point is that all of these resources were actually running crypto miners.
So a lot of miners have been used in a lot of platforms in many ways.
But this was the first time that we saw exploitation of legitimate AWS services
in order to actually run crypto miners.
And that was really interesting to us.
So, Michael, can you fill in some of the details here?
I mean, reading through the research, it's my understanding that these folks were targeting some lesser-used AWS services.
Is that a fair way to say it?
Yeah, exactly.
Like, we've seen many crypto mining operations that just use EC2.
That's, like, the most common.
But in this operation, they were using Fargate, CodeBuild, Amplify, SageMaker.
So they were really spreading across all these other services,
which are not generally thought about as being used for crypto mining
and don't have the same coverage in things like CloudTrail,
like spinning up an EC2 might, the log aspect of FriendVic.
So they're definitely trying to spread it out
and fly under the radar.
So is the notion here that these services
are less likely to raise a flag and say,
hey, are you sure you want to be spending
this kind of money with us?
Exactly.
When you try to spin up a bunch of EC2
on certain AWS accounts,
it'll block you and you have to go ask for permission to do more and things like that.
With all these other services, the compute's kind of abstracted away, but you can still run
your custom things on it. So they don't have the same restrictions. Well, walk me through
how someone would find themselves falling victim to this.
How does it begin?
Docker images are actually post-exploitation weapons, we can say,
because they require some AWS keys in order to be used.
We can think of this attack scenario as these threat actors
which stole, in any ways,
some overly permissive keys
and then actually simply pass these keys
to their Docker images
and then just by running them,
they will begin all of the process
of running several resources among the services.
Actually, the initial access is not really related to these Docker images.
But then once the victim falls for these credentials still,
in a few minutes, they will already find themselves in a pretty huge trouble, I would say,
because they will find themselves
in the middle of a lot of resources spinning up,
and it will be pretty hard for the investigators
to find out and find all the resources,
all the miners running, and actually kill them.
So the post-investigation part will be pretty hard
compared to mainly just targeting one service in one region.
So, Michael, is this a case where once it's installed,
it sort of cascades across the services as quickly as possible
to sort of a smash and grab kind of thing?
We're going to get all the compute power that we can while we can?
I don't think so.
They don't go, like I said, they don't try to spin up as many EC2 instances as possible.
The other services are, I think, they don't offer as many powerful resources as EC2 might,
but they do offer runtime.
So it may actually be kind of lower and slower.
But once you spread it out across many
different regions and even multiple accounts, it can scale up pretty quickly, even though it's
kind of going low and slow. And once they're up and running, are they aiming for persistence here?
Yeah. So we found that there are actually some scripts that are exactly doing that.
So they are just periodically checking if
some of the resources is as terminated and just rerun them.
That's for every service.
So the persistent factor is really one of the key factors of them.
Also because actually most of these services run what are called
build instances. And build instances are actually some sort of EC2 instances, but managed by AWS
in order to build some sort of projects, image, and stuff like that. And these attackers exploit
these build instances to actually run the miners. And so when the build
phase is terminated,
those scripts take care of
just rerunning and restarting
the process in all the regions.
And now, a message from our sponsor,
Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing
IPs that are exploited by bad actors more easily than ever with AI tools. It's time to rethink
your security. Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making
apps and IPs invisible, eliminating lateral movement, connecting users only to specific apps, not the entire network,
continuously verifying every request based on identity and context,
simplifying security management with AI-powered automation,
and detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
And what are they mining here?
What sort of crypto miners are they using?
We saw a lot of varieties of crypto miners, actually.
Actually, I didn't count them,
but they are, I think, more than 10 different cryptocurrencies.
So actually, what we did was also a sort of research
about all the crypto wallets that we found
for every different cryptocurrency in order to see in which currency
maybe they get more money out of them.
But actually they mine with Tidecoin, Zephyr, Verus, Monero, and something more.
Do we have a sense for how successful they've been?
Can we look inside some of those wallets?
Yeah, we managed to look inside some of them.
Not all of them, actually, but some of them, yes.
And from what we saw,
we count actually that around at least
18,000 of dollars were received in those wallets.
But yeah, considering that there are also wallets
that cannot be investigated,
yeah, this sum will be surely higher.
Yeah.
Any idea what part of the world these folks are coming from?
From the actual language that we saw in the scripts,
we expect that those actors can be Indonesian
because we saw
several, we saw different
words in Indonesian actually.
And that makes sense actually because
in Indonesia, probably the cost of life
is pretty low. So mining
and targeting
companies
all around the world to have
to gather money
with crypto mining would be really good for them, actually.
Michael, I'm curious,
how would I find out that I was falling victim to this?
I mean, would it be likely that the first alert I would have
would be getting a surprise bill?
If you're not monitoring your usage of different services, then yeah, your first notification
would be the bill. Now, in our research, we did find
that some of the services, when you start them up like SageMaker, pretty much all of them will
leave something in CloudField that says, hey, this thing
started. Now, only one or two of them will give enough
information to understand that they're bad.
So if you know your environment very well and know that no one's doing SageMaker, no one's doing
Amplify, then it can be easy to spot. But if those are commonly used in your environment,
it will be exceedingly difficult to spot and understand that they're not supposed to be there.
So what are your recommendations then? I mean, for folks to best protect themselves,
what sort of things should they put in place?
The usual kind of AWS answer of limits and things like that.
But you have to pay attention to your cloud trail.
Some of them do offer the opportunities for detection and response
because in the cloud trail, I forget which services specifically,
but they will have the command line in the CloudTrail log.
So some of them do lend themselves to cloud detection response technologies.
But for the other services, it really comes down to understanding
if they're supposed to be running or not.
And you can use threat detection response to trigger on those if they're not
supposed to be running. Other than that, there's really not too much that can be done, but
that should be enough.
Yeah. Alessandro, any final thoughts here?
Yeah, so basically just to sum up the advantages of this operation, because it is always interesting
to see how attackers come up with new ideas.
And it's the first time that actually we saw something like that.
But the main advantages in exploiting multiple services
is that, as we said, they bypass the restriction
that can put in place the AWS itself.
Also, the post-investigation for the victims will be harder,
much harder, because they have to find all the running miners in order to kill them.
And most of the services provide those instances without the ability for the victims
to actually put in place some runtime security coverage. So it's a pretty interesting attack, I can say.
And yeah, like everyone should put in place
some really strong security measures
for the logging mechanism in order to correlate all the events
in order to find out what exactly is going wrong.
So reading through the research here,
you point out that there's something interesting
when it comes to the runtime here.
What's going on?
Yeah, so things like EC2 and Fargate,
a lot of services let you run agents.
So you can monitor the behavior
on all these compute instances.
But these other services like Amplify, SageMaker,
and the other ones in the report
don't offer that capability.
So these are kind of blind to all the runtime threat detection pools that are out there. So
they make for a nice stealthy way for the attackers to run their miners and not be seen by typical
threat detection. Yeah, it really seems to me like this is sort of a novel and,
Yeah, it really seems to me like this is sort of a novel and, dare I say, clever way of taking advantage of some compute power in a way that it isn't really intended to be used. Is that an accurate description?
I think so. That's why we found it so interesting. We had never seen it before. And honestly, I'd never heard of some of the services involved before. You know, there are so many that these providers offer.
And I'd never heard of like Amplify, for example.
And to see that that was being abused was very interesting.
Our thanks to Alessandro Brucato and Michael Clark from Sysdig for joining us. The research is titled AWS's Hidden Threat, AmberSquid, Cloud Native Crypto Jacking Operation.
We'll have a link in the show notes.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members
discover they've already been breached. Protect your executives and their families 24-7, 365
with Black Cloak. Learn more at blackcloak.io. of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
This episode was produced by Liz Ervin and senior producer Jennifer Iben. Our mixer is
Elliot Peltzman. Our executive editor is Peter Kilpie, and I'm Dave Bittner. Thanks for listening.