"AMBERSQUID" Cryptojacking Ops Generates a High Dollar Resource Bill

Category: Threat Actor Activity | Industry: Global | Source: Sysdig

Researchers from Sysdig Threat Research have reported a sophisticated cloud-native cryptojacking operation named "AMBERSQUID," shedding light on an attack that leverages AWS services not typically exploited for attacks like AWS Amplify, AWS Fargate, and Amazon SageMaker. However, abuse of these overlooked services can be very costly (literally) since the resource utilization can enable attackers to generate an excess of $10,000 in charges per day.

"The AMBERSQUID operation was able to exploit cloud services without triggering the AWS requirement for approval of more resources, as would be the case if they only spammed EC2 instances," Sysdig researcher Alessandro Brucato reports. This multifaceted approach presents challenges in incident response, as attackers need to be detected and eliminated in each compromised service. Sysdig's research suggests that the operation is attributed to Indonesian attackers, given the "use of Indonesian language in scripts and usernames." This campaign was uncovered through an examination of over 1.7 million Linux images, initial statics scans were not enough to identify the images as being malicious. It is only when the images are executed that malicious intent for cryptojacking is made apparent. The first account created for this campaign was made under the DockerHub account "rizal91" in May 2022.

The attack's technical analysis reveals a complex web of AWS services and scripts, including Docker Hub, AWS CodeCommit, AWS Amplify, ECS/Fargate, CloudFormation, EC2 Auto Scaling, and Amazon SageMaker, all orchestrated to enable cryptojacking. Although significant resources are spun up, attackers attempt to do so through efficient and non-impactful ways to not cause disruptions and draw immediate attention. The operation's extensive use of various AWS services underscores the need for vigilant monitoring and guardrails across all cloud services.