Malicious Misconfiguration: AMBERSQUID Cryptojacking

A novel cloud-native cryptojacking operation, codenamed AMBERSQUID, has been targeting uncommon Amazon Web Services (AWS) offerings, including AWS Amplify, AWS Fargate, and Amazon SageMaker, to illicitly mine cryptocurrency. The malicious campaign was discovered by Sysdig, a cloud and container security firm, and presents a significant threat due to its ability to exploit AWS services without triggering the need for additional resource approval.

Attack Details

The AMBERSQUID operation is attributed to Indonesian threat actors based on language analysis in scripts and usernames. The attackers utilize Docker Hub images to deploy cryptocurrency miners downloaded from actor-controlled GitHub repositories and run shell scripts targeting AWS services. Key characteristics include the abuse of AWS CodeCommit to generate private repositories and the use of AWS Amplify to create web apps that launch the cryptocurrency miner.

The attackers exploit AWS services without triggering resource approval by leveraging AWS CodeCommit and targeting multiple AWS services. This approach poses challenges for incident response efforts, requiring identifying and eliminating miners across multiple exploited services.

Impact

The AMBERSQUID crypto jacking operation can result in significant financial losses, exceeding $10,000 per day if fully deployed across AWS regions. Victims may experience substantial computing costs and potential disruptions to their services.

Recommendation

Organizations are advised to take the following actions to mitigate the threat posed by AMBERSQUID:

• Monitor AWS services for unusual activity and unauthorized resource utilization.

• Regularly review and audit AWS CodeCommit repositories for any unauthorized access or abuse.

• Educate users and teams on best practices for securing AWS resources and preventing crypto jacking.

In conclusion, The AMBERSQUID cryptojacking operation highlights the importance of securing traditional compute services and less visible AWS offerings. Organizations need to remain vigilant, implement robust security measures, and educate their teams to mitigate the risks associated with cryptojacking.