A new cryptojacking operation has been found targeting lesser-known AWS offerings such as AWS Amplify, AWS Fargate, and Amazon SageMaker to secretly mine cryptocurrency. Named AMBERSQUID, the campaign manages to exploit these cloud services without triggering AWS's usual resource approval process. The services are referred to as uncommon since they are overlooked from a security perspective.
Diving into details
Sysdig revealed that it came across this campaign by examining 1.7 million images on Docker Hub.
It's worth noting that the first account was established in May 2022, and its development persisted until August of the same year.
Subsequently, the attackers continued to upload cryptocurrency mining images using different accounts until March 2023, at which point they set up a GitHub account.
To make their operation less conspicuous, they refrained from creating their own repositories initially. Instead, they downloaded cryptocurrency miners from well-known GitHub repositories and incorporated them into the layers of their Docker images.
Their repositories currently lack any source code, but they offer the miners as downloadable archives through releases. These binaries are usually labeled as "test," compressed using UPX, and intentionally altered to make them challenging to unpack.
The attack has been moderately attributed to attackers from Indonesia due to the presence of the Indonesian language in scripts and usernames.
Why this matters
As per researchers, if AMBERSQUID were to expand its scope to target all AWS regions, it could potentially lead to daily losses exceeding $10,000.
Additionally, upon scrutinizing the wallet addresses employed, it becomes evident that the attackers have accumulated over $18,300 in earnings thus far.
Focusing on numerous services also presents added complexities, such as handling incident response. This is because it necessitates the identification and termination of all cryptocurrency miners within each compromised service.
The bottom line
The emergence of the AMBERSQUID cryptojacking operation, with its focus on relatively obscure AWS services, underscores the evolving landscape of cyber threats. These less-recognized AWS offerings, often overlooked from a security standpoint, have become prime targets for cryptocurrency mining exploitation.
To counter such threats, organizations must intensify vigilance, deploy robust monitoring systems, and enforce strict access controls. Regular audits of Docker images and repositories can help identify and thwart these covert operations.