New AMBERSQUID Cryptojacking Operation Targets Uncommon AWS Services

2023-09-18 12:30

A novel cloud-native cryptojacking operation has set its eyes on uncommon Amazon Web Services offerings such as AWS Amplify, AWS Fargate, and Amazon SageMaker to illicitly mine cryptocurrency.

"The AMBERSQUID operation was able to exploit cloud services without triggering the AWS requirement for approval of more resources, as would be the case if they only spammed EC2 instances," Sysdig security researcher Alessandro Brucato said in a report shared with The Hacker News.

"Targeting multiple services also poses additional challenges, like incident response, since it requires finding and killing all miners in each exploited service."

Some of these images are engineered to execute cryptocurrency miners downloaded from actor-controlled GitHub repositories, while others run shell scripts targeting AWS. A key characteristic is the abuse of AWS CodeCommit, which is used to host private Git repositories, to "Generate a private repository which they then used in different services as a source."

The threat actors have also been observed employing shell scripts to perform cryptojacking in AWS Fargate and SageMaker instances, incurring significant compute costs for the victims.

"While most financially motivated attackers target compute services, such as EC2, it is important to remember that many other services also provide access to compute resources," Brucato said.

News URL

https://thehackernews.com/2023/09/new-ambersquid-cryptojacking-operation.html

#AWS #cryptojacking