New AMBERSQUID Cryptojacking Operation Targets Uncommon AWS Services

Cyber Security Threat Summary:
A new cloud-native cryptojacking operation, known as AMBERSQUID, is targeting less common AWS services like AWS Amplify, AWS Fargate, and Amazon SageMaker for illicit cryptocurrency mining. Sysdig, a security firm, identified this campaign while analyzing 1.7 million Docker Hub images and attributed it to Indonesian attackers due to their use of the Indonesian language in scripts and usernames.

Some of these images are designed to execute cryptocurrency miners downloaded from GitHub repositories controlled by malicious actors, while others employ shell scripts to target AWS. A notable aspect is the misuse of AWS CodeCommit, a platform for private Git repositories, to "generate a private repository that they then utilize across various services." Within this repository lies the source code of an AWS Amplify application, which a shell script utilizes to create an Amplify web app and subsequently initiate the cryptocurrency mining process. These threat actors have also been observed using shell scripts to engage in cryptojacking within AWS Fargate and SageMaker instances, resulting in substantial computing expenses for the victims.

Security Officer Comments:
Sysdig's assessment suggests that should AMBERSQUID expand to target all AWS regions, it could lead to daily losses exceeding $10,000. Further examination of the wallet addresses used by the attackers reveals accumulated revenues of over $18,300 to date. This isn't the first instance of Indonesian threat actors being associated with cryptojacking campaigns. In May 2023, Permiso P0 Labs documented an actor named GUI-vil, which was observed utilizing Amazon Web Services (AWS) Elastic Compute Cloud (EC2) instances for crypto mining operations.

Suggested Correction(s):
All services provided by a CSP must be monitored for malicious use. If runtime threat detection isn’t possible, higher level logging about the services usage should be monitored in order to catch threats like AMBERSQUID. If malicious activity is detected, response actions should be taken quickly to disable the involved services and limit the damage. While this operation occurred on AWS, other CSPs could easily be the next target.