CyberWire Daily

AMBERSQUID hides in the depths. [Research Saturday]

Oct 21, 2023

Sysdig's researchers discuss their work on the AMBERSQUID Cloud-Native Cryptojacking Operation, targeting supposedly secure AWS services. The operation exploits services without triggering AWS resource approval, posing challenges in finding and eliminating miners. The podcast covers the tactics and strategies used by attackers for crypto mining, the challenges of detecting malicious services in AWS environments, and highlights the research conducted by Sysdig.

17:37

Creator website

Episode guests

Alessandro Brucato

Michael Clark

AI Summary

AI Chapters

Episode notes

Podcast summary created with Snipd AI

Quick takeaways

AMBERSQUID operation targets AWS's lesser-used services for cryptojacking, bypassing typical threat detection.

Identifying and investigating all the miners running across multiple services and regions poses a significant challenge for defenders.

Deep dives

Crypto Jacking Operation Exploiting AWS Services

In this podcast episode, researchers discuss a crypto jacking operation called the Amber Squid, which targets lesser-used AWS services rather than the more commonly targeted EC2. The attackers spin up resources in victims' AWS environments and use them to mine various cryptocurrencies. By spreading their activity across different services and regions, they aim to avoid detection. The attackers leverage legitimate AWS services like Fargate, CodeBuild, Amplify, and SageMaker, which offer runtime capabilities that bypass typical threat detection. Monitoring usage and implementing strong security measures, along with understanding if services are supposed to be running, are recommended for protection.

Introduction

4min

Exploiting AWS Services for Crypto Mining Operation

3min

Attackers' Tactics and Strategies for Cryptocurrency Mining

4min

Challenges of detecting malicious services in AWS environments

3min

AWS's Hidden Threat: Amber Squid, cloud native crypto jacking operation

3min

Sysdig's Alessandro Brucato and Michael Clark join Dave to discuss their work on "AWS's Hidden Threat: AMBERSQUID Cloud-Native Cryptojacking Operation." Attackers are targeting what are typically considered secure AWS services, like AWS Fargate and Amazon SageMaker. This means that defenders generally aren’t as concerned with their security from end-to-end.

The research states "The AMBERSQUID operation was able to exploit cloud services without triggering the AWS requirement for approval of more resources, as would be the case if they only spammed EC2 instances." This poses additional challenges targeting multiple services since it requires finding and killing all miners in each exploited service.

The research can be found here:

AWS’s Hidden Threat: AMBERSQUID Cloud-Native Cryptojacking Operation

Learn more about your ad choices. Visit megaphone.fm/adchoices

Get the Snipd
podcast app

Unlock the knowledge in podcasts with the podcast player of the future.

AI-powered
podcast player

Listen to all your favourite podcasts with AI-powered features

Discover
highlights

Listen to the best highlights from the podcasts you love and dive into the full episode

Save any
moment

Hear something you like? Tap your headphones to save it with AI-generated key takeaways

Share
& Export

Send highlights to Twitter, WhatsApp or export them to Notion, Readwise & more

AI-powered
podcast player

Listen to all your favourite podcasts with AI-powered features

Discover
highlights

Listen to the best highlights from the podcasts you love and dive into the full episode

CyberWire Daily

AMBERSQUID hides in the depths. [Research Saturday]

Episode guests

Podcast summary created with Snipd AI

Quick takeaways

Deep dives

Crypto Jacking Operation Exploiting AWS Services

Challenges in Detecting and Responding to the Attack

Indication of Indonesian Origins and Financial Impact

Get the Snipd
podcast app

AI-powered
podcast player

Discover
highlights

Save any
moment

Share
& Export

AI-powered
podcast player

Discover
highlights

CyberWire Daily

AMBERSQUID hides in the depths. [Research Saturday]

Episode guests

Podcast summary created with Snipd AI

Quick takeaways

Deep dives

Crypto Jacking Operation Exploiting AWS Services

Challenges in Detecting and Responding to the Attack

Indication of Indonesian Origins and Financial Impact

Get the Snipdpodcast app

AI-poweredpodcast player

Discoverhighlights

Save anymoment

Share& Export

AI-poweredpodcast player

Discoverhighlights

Get the Snipd
podcast app

AI-powered
podcast player

Discover
highlights

Save any
moment

Share
& Export

AI-powered
podcast player

Discover
highlights