Uncommon AWS Services Targeted by New AMBERSQUID Cryptojacking Operation

Home/BOTNET, Compromised, Exploitation, Internet Security, malicious cyber actors, Security Advisory, Security Update/Uncommon AWS Services Targeted by New AMBERSQUID Cryptojacking Operation

Uncommon AWS Services Targeted by New AMBERSQUID Cryptojacking Operation

An innovative cloud-native cryptojacking campaign has targeted lesser-known Amazon Web Services (AWS) offerings like AWS Amplify, AWS Fargate, and Amazon SageMaker, with the intent of clandestinely mining cryptocurrency.

New AMBERSQUID Cryptojacking Operation

The cloud and container security firm Sysdig has codenamed this malicious cyber activity as AMBERSQUID.

In a report shared with The Hacker News, Sysdig security researcher Alessandro Brucato noted that the AMBERSQUID operation successfully exploited cloud services without triggering AWS’s resource approval requirements, which would have been the case had they only targeted EC2 instances.

Addressing multiple services also presents added challenges, such as incident response, as it necessitates the detection and termination of all miners within each compromised service.

Sysdig found this campaign by analyzing 1.7 million images on Docker Hub. They believe it’s the work of Indonesian attackers due to the use of the Indonesian language in scripts and usernames, with a moderate level of confidence.

Some of these images are designed to run cryptocurrency miners downloaded from GitHub repositories controlled by the attackers. Others use shell scripts to target AWS.

A key characteristic is the abuse of AWS CodeCommit, which is used to host private Git repositories, to “generate a private repository which they then used in different services as a source.”

The repository has the source code for an AWS Amplify app. A shell script uses this app to create an Amplify web app, which is then used to start the cryptocurrency miner.

Threat actors use shell scripts for cryptojacking in AWS Fargate and SageMaker, causing substantial victim compute costs. Sysdig estimates potential daily losses exceeding $10,000 if AMBERSQUID expands to all AWS regions. The attackers have earned over $18,300 from wallet addresses so far.

Indonesian threat actors have been previously associated with cryptojacking campaigns. In May 2023, Permiso P0 Labs reported an actor named GUI-vil using Amazon Web Services (AWS) Elastic Compute Cloud (EC2) instances for crypto mining operations.

These services can often be neglected in terms of security because they offer less visibility compared to what is available through runtime threat detection.

‍Follow Us on: Twitter, InstagramFacebook to get the latest security news!

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!