A new cloud-native cryptojacking operation has set its sights on unusual offerings from Amazon Web Services (AWS), such as AWS Amplify, AWS Fargate, and Amazon SageMaker, to illegally mine cryptocurrencies.
Malicious cyber activity has a code name AMBERSQUIDE by cloud and container security company Sysdig.
“Operation AMBERSQUID was able to leverage cloud services without triggering the AWS requirement to approve more resources, as would be the case if they only spammed EC2 instances,” said Alessandro Brucato, security researcher at Sysdig . report shared with The Hacker News.
“Targeting multiple services also poses additional challenges, such as incident response, because it requires finding and killing all miners from each exploited service.”
Sysdig said it discovered the campaign following an analysis of 1.7 million images on Docker Hub, attributing it with moderate confidence to Indonesian attackers based on the use of the Indonesian language in scripts and usernames.
Some of these images are designed to run cryptocurrency miners downloaded from actor-controlled GitHub repositories, while others run shell scripts targeting AWS.
A key feature is the abuse of AWS CodeCommit, which is used to host private Git repositories, to “generate a private repository that they then use across different services as a source.”
The repository contains source code for an AWS Amplify application which, in turn, is leveraged by a shell script to create an Amplify web application and ultimately launch the cryptocurrency miner.
Threat actors have also been observed using shell scripts to perform cryptojacking on AWS Fargate and SageMaker instances, resulting in significant computational costs for victims.
Sysdig estimates that AMBERSQUID could result in losses of more than $10,000 per day if fit for purpose. all AWS regions. Further analysis of the wallet addresses used reveals that the attackers have earned over $18,300 in revenue to date.
Identity is the New Endpoint: Mastering SaaS Security in the Modern Age
Dive into the future of SaaS security with Maor Bin, CEO of Adaptive Shield. Find out why identity is the new endpoint. Reserve your place now.
This is not the first time that Indonesian threat actors have been associated with cryptojacking campaigns. In May 2023, Permiso P0 Labs detailed an actor named GUI-vil that was spotted leveraging Amazon Web Services (AWS) Elastic Compute Cloud (EC2) instances to perform crypto mining operations.
“Even though most financially motivated attackers target compute services, such as EC2, it is important to keep in mind that many other services also provide access to compute resources (albeit more indirectly). ),” Brucato said.
“It’s easy for these services to be overlooked from a security perspective because visibility is less than that available through runtime threat detection. »