A newly emerged cryptojacking operation, tailored for cloud-native environments, has turned its focus towards less common Amazon Web Services (AWS) offerings such as AWS Amplify, AWS Fargate, and Amazon SageMaker to clandestinely mine cryptocurrency.
Dubbed AMBERSQUID by cloud and container security firm Sysdig, this malicious cyber activity has managed to exploit cloud services without triggering the typical AWS resource approval process, circumventing measures that would typically be activated if they were solely spamming EC2 instances.
Sysdig’s security researcher Alessandro Brucato explained in a report shared with The Hacker News, “The AMBERSQUID operation was able to exploit cloud services without triggering the AWS requirement for approval of more resources, as would be the case if they only spammed EC2 instances.” He further added, “Targeting multiple services also poses additional challenges, like incident response, since it requires finding and killing all miners in each exploited service.”
The discovery of this campaign came after Sysdig analyzed 1.7 million images on Docker Hub. They attribute the operation with moderate confidence to Indonesian attackers based on the utilization of the Indonesian language in scripts and usernames.
The modus operandi involves the deployment of cryptocurrency miners downloaded from actor-controlled GitHub repositories within some Docker images, while other images run shell scripts that target AWS services.
One notable tactic involves the misuse of AWS CodeCommit, a service used to host private Git repositories. Attackers generate a private repository, which they then deploy across various services as a source. This repository contains the source code of an AWS Amplify app, which is utilized by a shell script to create an Amplify web app, ultimately facilitating the launch of the cryptocurrency miner.
The threat actors have also been observed utilizing shell scripts to execute cryptojacking in AWS Fargate and SageMaker instances, resulting in substantial compute costs for the victims.
Sysdig estimates that if scaled to target all AWS regions, AMBERSQUID could incur losses of over $10,000 per day. An analysis of the wallet addresses associated with the attacks reveals that the perpetrators have earned over $18,300 in revenues to date.
This isn’t the first time Indonesian threat actors have been implicated in cryptojacking campaigns. In May 2023, Permiso P0 Labs detailed an actor named GUI-vil, which leveraged Amazon Web Services (AWS) Elastic Compute Cloud (EC2) instances for crypto mining operations.
Michael Clark, director of threat research at Sysdig, noted, “there doesn’t appear to be much cross-over between the TTPs of the two attacks,” suggesting they are likely carried out by distinct groups. He also highlighted the thriving community around cryptojacking in Indonesia.
“While most financially motivated attackers target compute services, such as EC2,” Brucato emphasized, “it is important to remember that many other services also provide access to compute resources (albeit more indirectly).” He stressed the importance of not overlooking these services from a security perspective, given the lesser visibility compared to runtime threat detection available.