Cryptojackers spread their nets to capture more than just EC2

As cloud native computing continues to gain popularity, so does the risk posed by criminals seeking to exploit the unwary. One newly spotted method targets services on the AWS platform, but not necessarily the ones you might think.

Researchers from the Sysdig Threat Research Team (TRT) have uncovered a cryptojacking operation dubbed "AMBERSQUID," which does not directly target EC2 instances that would trigger an approval for more resources.

Instead, according to researchers, it is aimed at often-overlooked services, such as AWS Amplify, AWS Fargate, and AWS Sagemaker.

Researchers said: "The uncommon nature of these services means that they are often overlooked from a security perspective, and the AMBERSQUID operation can cost victims more than $10,000 per day."

AMBERSQUID was discovered after more than 1.7 million Linux images were analyzed. A typical static scan didn't show any issues since it was only when the container was run that the nefarious activities became known.

The original container that sparked the investigation was found on Docker Hub, and many accounts started with little more than a basic container image running a cryptominer. Researchers noted: "However, they eventually switched to the AWS-specific services."

The attack comprises a succession of scripts to fire up services such as Amplify, CodeBuild, Sagemaker, and ECS with the aim of using the compute resources on offer to mine cryptocurrency.

The costs can be eyewatering, depending on the amount of resources attackers can utilize. Researchers said: "For the first time, we discover attackers abusing AWS Amplify for cryptojacking."

• Ransomware down this year – but there's a catch
• Bogus cryptocurrency apps steal millions in mere months
• SonicWall CEO on ransomware: Every good vendor was hit in past 2 years
• Cryptominers aren't just a headache – they're a big neon sign that Bad Things are on your network

AWS Amplify is a development platform that allows developers to build and deploy scalable web and mobile applications. Since it opens up a framework to enable an app to integrate with other services on the AWS platform, it also provides a handy avenue for attackers to access the compute resources required for cryptomining.

Researchers suspect, although cannot confirm, that the operation originates from Indonesian attackers due to the use of the Indonesian language in scripts and usernames.

The chaining together of uncommon services in the attack is a novel one. While EC2 is a well-known target, researchers urged security teams to remember that other services also provide access – if indirect – to compute resources, meaning that threat detection needs to be as broad as possible.

If threat detection isn't possible, then a higher level of logging is a must.

It is also essential to consider that while AWS and the services grabbed by attackers through the use of a malicious container image were the subject of this report, users of other platforms need to keep their wits about them.

As the team observed: "While this operation occurred on AWS, other CSPs [Cloud Service Providers] could easily be the next target." ®