AWS's Hidden Threat: AMBERSQUID Cloud-Native Cryptojacking Operation

The Sysdig Threat Research Team has identified a novel cryptojacking operation, named AMBERSQUID, that exploits less commonly targeted AWS services like AWS Amplify, AWS Fargate, and Amazon SageMaker, bypassing typical security measures and potentially costing victims over $10,000 daily. This operation, attributed to Indonesian attackers due to language clues, involves multiple AWS services, making incident response challenging as it requires terminating miners across all exploited services. The cryptojacking scheme was uncovered through analysis of over 1.7 million Linux images to identify malicious container payloads. The attackers use Docker Hub to distribute container images embedded with cryptomining scripts and have been active since May 2022, continuously evolving their tactics to avoid detection. They leverage AWS CodeCommit, Amplify, ECS, and other services to deploy and run mining operations, often using obfuscated binaries and creating extensive AWS infrastructure to maximize their mining capabilities. The operation highlights the need for comprehensive monitoring of all cloud services to detect and respond swiftly to such cyber threats, as similar tactics could be adapted for use against other cloud service providers.