Researchers from the Sysdig Threat Research Team have uncovered a cloud-native cryptojacking operation called AMBERSQUID [7] [10]. This operation targets uncommon Amazon Web Services (AWS) offerings [1] [2] [8] [9], including AWS Amplify, AWS Fargate [1] [2] [5] [6] [7] [8] [9] [10], and Amazon SageMaker [1] [2] [3] [5] [6] [8] [9] [10]. The attackers exploit these cloud services without triggering the need for AWS resource approval.
Description
The attackers use stolen credentials to deploy malicious Docker images on AWS and create roles with access to services like AWS Amplify [3], AWS CodeCommit [1] [2] [3] [6] [9], AWS CloudWatch [3], and SageMaker [1] [2] [3] [5] [6] [8] [9] [10]. These roles are then abused to create private Git repositories, build and deploy malicious apps [3], and run cryptominers [3]. The attackers also focus on AWS CloudFormation, AWS CodeBuild [3], Amazon EC2 Auto Scaling [3], and Amazon SageMaker’s Jupyter Notebook instances [3].
This operation is particularly concerning because it targets AWS Fargate and Amazon SageMaker, which are often overlooked from a security perspective [1] [5] [7] [10], making them vulnerable to attack [5]. The researchers estimate that if scaled to target all AWS regions [2], AMBERSQUID could result in losses of over $10,000 per day [1] [2] [6] [9].
The campaign was discovered during a scan of Linux container images on Docker Hub [3]. The attackers, believed to be based in Indonesia, have been observed using Indonesian language in scripts and usernames [1] [9]. This is not the first time Indonesian threat actors have been linked to cryptojacking campaigns [1] [2] [9]. These attackers also engage in freejacking and crypto-jacking attacks for financial gain [5].
What sets this attack apart is its simultaneous exploitation of multiple services, which makes incident response more challenging [3] [4]. The campaign has resulted in significant compute costs for the victims, with the attackers earning more than $18,300 in revenues to date [1] [2] [9].
Conclusion
It is important to remember that services other than compute services can also provide access to compute resources and may be overlooked from a security perspective [1]. This AMBERSQUID operation highlights the need for increased vigilance and security measures to protect against cloud-native cryptojacking attacks. Mitigations should include regular monitoring and scanning of container images, strong authentication and access controls, and awareness of potential vulnerabilities in less commonly targeted AWS offerings. Failure to address these vulnerabilities could result in significant financial losses and reputational damage.
References
[1] https://www.ihash.eu/2023/09/new-ambersquid-cryptojacking-operation-targets-uncommon-aws-services/
[2] https://flyytech.com/2023/09/18/new-ambersquid-cryptojacking-operation-targets-uncommon-aws-services/
[3] https://www.csoonline.com/article/652763/aws-cryptojacking-campaign-abuses-less-used-services-to-hide.html
[4] https://allinfosecnews.com/item/awss-hidden-threat-ambersquid-cloud-native-cryptojacking-operation-2023-09-18–2/
[5] https://restoreprivacy.com/hidden-aws-threats-cloud-native-cryptojacking-operation-ambersquid/
[6] https://www.claytoncountyregister.com/news2/new-ambersquid-cryptojacking-operation-targets-uncommon-aws-services/447201/
[7] https://headtopics.com/uk/cryptojackers-spread-nets-to-capture-more-than-just-ec2-44597734
[8] https://gixtools.net/2023/09/new-ambersquid-cryptojacking-operation-targets-uncommon-aws-services/
[9] https://thehackernews.com/2023/09/new-ambersquid-cryptojacking-operation.html
[10] https://allinfosecnews.com/item/awss-hidden-threat-ambersquid-cloud-native-cryptojacking-operation-2023-09-18–1/
