HQ/EMEAFind out how we can help your business
A new cloud-native cryptojacking operation called AMBERSQUID has emerged. It targets unusual Amazon Web Services (AWS) offerings, including AWS Amplify, AWS Fargate, and Amazon SageMaker, to execute their cryptomining campaigns.
The AMBERSQUID operation could exploit cloud services without triggering the AWS requirement to approve more resources, as would be the case if the actors only spam EC2 instances. This unique strategy enables attackers to operate discreetly, which poses a challenging threat for incident response teams that hunt down and eradicate miners across multiple exploited services.
Due to newly discovered proof, the Indonesian hackers are the alleged operators of the new AMBERSQUID campaign.
New investigations believe that hackers from Indonesia could be operating the new AMBERSQUID campaign. Evidence of these speculations is the Indonesian language in scripts and usernames. These hackers deploy various tactics to execute their malicious attacks against targeted entities.
Moreover, one of the characteristics of AMBERSQUID is its misuse of AWS CodeCommit, a platform that hosts private Git repositories. The attackers cleverly use this service to generate private repositories, which they employ across various AWS services as a source.
The repository stores the source code of an AWS Amplify application, retrieved by a shell script to develop an Amplify web app. This web app becomes the launching pad for the threat actors’ cryptomining operation.
However, the new AMBERSQUID campaign does not limit its cryptojacking attacks to Amplify alone. Its operators have allegedly launched shell scripts to breach AWS Fargate and SageMaker instances, earning substantial compute costs for their victims.
If this campaign could expand its operations in all AWS regions, it could potentially cause daily losses that exceed $10,000. Unfortunately, a recent analysis of the cryptocurrency wallet addresses associated with the process showed that the AMBERSQUID operators have already earned more than $18,300 from malicious-earned profits.
The new AMBERSQUID campaign indicates that the threat actors will make innovations and adaptability to earn revenue from cybercriminal operations. Organisations that rely on cloud services should safeguard their infrastructure against such sophisticated threats by fortifying their cybersecurity defences.
