Cloud-Native Cryptojacking Scheme Explores Unconventional AWS Services


A new cryptojacking operation, named AMBERSQUID, has surfaced, with its focus on less well-known AWS cloud offerings, including AWS Amplify, AWS Fargate, and Amazon SageMaker, for illicit cryptocurrency mining.

Cloud and container security firm Sysdig has dubbed this malicious campaign “AMBERSQUID.”

According to a report by Sysdig security researcher Alessandro Brucato, AMBERSQUID illicitly exploited cloud services without triggering AWS’s resource approval procedures, which would have been required if it had solely targeted EC2 instances. Brucato explained that “Targeting multiple services also poses additional challenges, such as incident response, as it necessitates identifying and terminating all miners within each exploited service.”

Sysdig discovered this campaign while analyzing 1.7 million images hosted on Docker Hub. The firm attributes this campaign to Indonesian attackers with moderate confidence, primarily because of the use of the Indonesian language in scripts and usernames.

Diverse Tactics: From GitHub Miners to AWS Cloud Shell Scripts

Some threat actors design compromised images to run cryptocurrency miners downloaded from GitHub repositories, while others execute shell scripts that target AWS.

A notable aspect is the misuse of AWS CodeCommit, a service designed for hosting private Git repositories, to “generate a private repository that they then utilized in various services as a source.” This repository contains the source code of an AWS Amplify application, which a shell script uses to create an Amplify web app and subsequently launch the cryptocurrency miner.

Observers have also noted that the threat actors actively employ shell scripts to conduct cryptojacking on AWS Fargate and SageMaker instances, resulting in significant compute costs for their victims.

Sysdig estimates that if scaled to target all AWS regions, AMBERSQUID could lead to daily losses exceeding $10,000. A further investigation into the wallet addresses used by the attackers reveals earnings of over $18,300 to date.

Indonesian threat actors have a history of involvement in cryptojacking campaigns. In May 2023, Permiso P0 Labs provided details about an actor named “GUI-vil,” who they found using AWS Elastic Compute Cloud (EC2) instances for crypto mining operations.

Security Blind Spots: The Importance of Comprehensive Monitoring

Alessandro Brucato emphasized, “While most financially motivated attackers target compute services like EC2, it’s essential to remember that many other services also provide access to compute resources, albeit more indirectly. it’s easy to overlook these services because they offer reduced visibility compared to runtime threat detection”.