AMBERSQUID hides in the depths.
Dave Bittner: Hello, everyone, and welcome to the Cyberwire's "Research Saturday." I'm Dave Bittner and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems, and protecting ourselves in a rapidly-evolving cyberspace. Thanks for joining us. [ Music ]
Alessandro Brucato: One of our research projects is related to the analysis of Docker images that are pushed and updated on Docker Hub every day.
Dave Bittner: Our guests today are Alessandro Brucato and Michael Clark from Sysdig. The research we're discussing today is titled "AWS's Hidden Threat: AMBERSQUID Cloud-Native Cryptojacking Operation." [ Music ]
Alessandro Brucato: Quite recently, one of those images actually caught our attention.
Dave Bittner: That's Alessandro Brucato.
Alessandro Brucato: And because we suddenly found that it was really interesting, as we delved into it, we discovered what -- what we then called this AMBERSQUID Operation. And what that image was about was actually to run a set of scripts that uses some given AWS credentials. And what these scripts do is to spin up a lot of resources inside the environment of the -- inside the victim's AWS environment. And these resources are spread among different services in -- in multiple regions. The malicious point is that all of these resources were actually running crypto miners. So a lot of miners have been using a lot of platforms in many ways, but this was the first time that we saw exploitation of legitimate AWS services in order to actually run cryptominers. And -- and that was really interesting to us.
Dave Bittner: So, Michael, can you fill in some of the details here? I mean, reading through the research, it's my understanding that these folks were targeting some -- some lesser-used AWS services. Is -- is that a fair way to say it?
Michael Clark: Yeah. Exactly. Like, we've seen many crypto mining operations that just use EC2. That's, like, the most common. But in this operation, they were using Fargate, CodeBuild, Amplify, SageMaker. So they were really spreading across all these other services which are not generally thought about as being used for crypto mining and don't have the same coverage in things like CloudTrail -- like spinning up in EC2 might -- the -- the log aspect of [inaudible 00:02:53]. So they're definitely trying to spread it out and fly under the radar.
Dave Bittner: So is the notion here that these services are less likely to raise a flag and -- and say, hey, are you sure you want to be spending this kind of money with us?
Michael Clark: Exactly. That's one -- when you try to spin up much EC2 on certain AWS accounts, it will block you and you have to go ask for permission to do more, and things like that. With these -- all these other services, that's -- it computes kind of abstract in a way. But you could still run your custom things on it. So they don't have the same restrictions.
Dave Bittner: Well, walk me through how someone would find themselves falling victim to this. I mean, how does it begin?
Alessandro Brucato: Docker images are actually -- mostly exploitation weapons we can say because they require some AWS keys in order to be used. We can think of these attack scenario as -- of these -- these threat actors which stole in any ways some overly permissive keys and then, actually, simply passed these keys, they are Docker images, and then just by running them, they will begin this whole -- all of the process of running several resources among the -- the services. Actually, the initial access is not really related to all these Docker images, but then once the victim falls for the -- credential steal, they will in few -- in few minutes, they will already find themselves in pretty huge trouble, I would say, because they will find themselves in a sort of -- in the middle of a lot of resources spinning up and it will be pretty hard to -- for the investigators to find out and find all the resources all the miners running and actually kill them. So the post investigation part will be pretty hard compared to mainly just testing one service in one -- one region.
Dave Bittner: So, Michael, is this a case where once it's installed, it sort of cascades across the services as quickly as possible to -- sort of a smash and grab kind of thing? We're going to get all the -- the compute power that we can while we can?
Michael Clark: I don't think so. They don't go -- like, they don't try to spin up as many EC2 instances as possible.
Dave Bittner: Hmm.
Michael Clark: The other services are -- I think you -- they don't offer as many powerful resources as EC2 might, but they do offer, you know, run time. So it may actually be kind of lower and slow. But once you spread it out across many different regions, and even multiple accounts, it can scale up pretty quickly even though it's kind of going low and slow.
Dave Bittner: And once they're up and running, are they aiming for persistence here?
Alessandro Brucato: Yes. So we found that there -- there are actually some scripts, that they are exactly doing that. So they are just periodically checking if some of the resources is terminated, and just rerun them. And that's for every -- every service. So the persistent factor is -- is really one of the key factors then because -- also because, actually, most of the services run what -- what are called build instances. And build instances are actually some sort of EC2 instances, but managed by AWS. You know, to build some of projects image and stuff like that. And these attackers exploit these build instances to actually run the miners. And so when the builder pays, he's terminated. Those scripts take care of just rerunning and restarting the process in other regions. [ Music ] [ Music ]
Dave Bittner: And what are they mining here? What -- what sort of cryptominers are they using?
Alessandro Brucato: We saw a lot of varieties of cryptominers, actually. Actually didn't count them but there are, I think, more than ten different of the cryptomine -- cryptocurrencies. So -- so, actually, what we did -- what also sort of research about all the -- all the crypto wallets that we found for every different cryptocurrency, in order to see in which currency maybe they get more -- more money out of them. And, yes, but actually they -- they mine with Tidecoin, Zephyr, Verus, Monero, and some more.
Dave Bittner: Do we have a sense for how successful they've been? Do we -- can we look inside some of those wallets?
Alessandro Brucato: Yeah. We managed to look inside some of them -- not all of them, actually -- but some of them, yes. And from what we saw, we count actually that around -- at least 18,000 of dollars were received in those wallets. But, yeah, considering that there are -- there are also wallets have not been investigated yet, the sum would be actually higher.
Dave Bittner: Yeah. Any idea what part of the world these folks are coming from?
Alessandro Brucato: From the actual language that we saw in the scripts, we expect that those actors can be Indonesian because we saw several -- we saw different words in Indonesian, actually. And that makes sense, actually, because in Indonesia probably the cost of life is -- is pretty low, so mining and targeting, like, companies all around the world to -- to gather money with crypto mining could be really good for them, actually.
Dave Bittner: Hmm. Michael, I -- I'm curious. How would I find out that I was falling victim to this? I mean, is this -- is it -- would it be likely that the first alert I would have would be getting a surprise bill?
Michael Clark: If you're not monitoring your -- your usage of different services, then yeah. Your -- your first notification would be the bill. Now -- like, in our research we did find that some of the services when you start them up, like SageMaker -- pretty much all of them -- will leave something in CloudTrail that says, hey, I -- I -- this thing has started. Now only one or two of them will give enough information to understand that they're bad. So if you know your environment very well and know that no one is doing SageMaker, no one is doing Amplify, then it can be easy to spot. But if those are commonly used in your environment, it is -- it would be exceedingly difficult to understand that they're -- they're not supposed to be there.
Dave Bittner: So what are your recommendations then -- I mean, for folks to best protect themselves? What sort -- sort of things should they put in place?
Michael Clark: I think the usual kind of AWS answer of, you know, limits and things like that. But you have to pay attention to your CloudTrail. Some of them do offer the opportunities for detection and response because they -- in the CloudTrail, I forget which services. Typically, like, they will have the command line in the -- in the CloudTrail log, so some of them do lend themselves to Cloud protection and response technologies. But the other -- for the other services, it really comes down to understanding if they're supposed to be running or not. And you can use threat detection response to figure on those if they're not supposed to be running. Other than that, there's really not too much that can be done, but that should be enough.
Dave Bittner: Yeah. Alessandro, any final thoughts here?
Alessandro Brucato: Yeah. So basically just to sum up the advantages of these -- of this operation because it is -- it is always interesting to see how, like, attackers come up with the new ideas and it's the first time that actually we saw something like that. But the main advantages are in -- in exploiting multiple, multiple services is that, as we said, there -- they, like, passed the restriction that can be put into place by -- AWS itself. Also they -- their post investigation for the victims will be harder -- much harder because they have to find all the running miners in order to kill them. And then most of the services provide those instances without ability of actually -- for the victim of actually to put in place some runtime security coverage. So it's a pretty interesting attack, I can say, and yeah, like, everyone should put in place some really strong security measures for the log in mechanism in order to correlate all the events in order to find out what exactly is going wrong.
Dave Bittner: So reading through the research here, you point out that there's something interesting when it comes to the runtime here? What's going on?
Michael Clark: Yeah, so, like, things like EC2 and Stargate, a lot of services let you run agents. They can moderate behavior on all these compute instances. But these other services, like Amplify, SageMaker, and the other ones in our report, don't offer that capability. So these are kind blind to all the runtime threat protection pools that are out there. So they make for a nice stealthy way for the attackers to run their miners and not be seen by typical, you know, threat protection.
Dave Bittner: Yeah, it really seems to me like this is sort of a novel and -- dare I say clever way of taking advantage of some compute power in a way that it isn't really intended to be used. Is -- is that an accurate description?
Michael Clark: I think so. That's why we found it so interesting is we had never seen it before, and honestly I'd never heard of some of the services involved before. You know, there are so many that the providers offer, and I'd never heard of, like, Amplify, for example. And to see that they -- that was being abused was -- was very interesting. [ Music ]
Dave Bittner: Our thanks to Alessandro Brucato and Michael Clark from Sysdig for joining us. The research is titled "AWS's Hidden Threat: AMBERSQUID Cloud-Native Cryptojacking Operation." We'll have a link in the show notes. [ Music ] [ Music ] The Cyberwire "Research Saturday" podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cyber security teams and technologies. This episode was produced by Liz Irvin and Senior Producer Jennifer Eiben. Our mixer is Elliott Peltzman. Our Executive Editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.