AWS cryptojacking campaign abuses less-used services to hide

To remain undetected for longer in cloud environments, attackers have started to abuse less-common services that don’t get a high level of security scrutiny. This is the case of a recently discovered cryptojacking operation, called AMBERSQUID, that deploys cryptocurrency mining malware on AWS Amplify, AWS Fargate, and Amazon SageMaker instead of the more obvious Amazon Elastic Compute Cloud (Amazon EC2).

“The AMBERSQUID operation was able to exploit cloud services without triggering the AWS requirement for approval of more resources, as would be the case if they only spammed EC2 instances,” researchers from security firm Sysdig said in a report. “Targeting multiple services also poses additional challenges, like incident response, since it requires finding and killing all miners in each exploited service.”

How the AMBERSQUID cryptojacking campaign works

The Sysdig researchers came across the cryptojacking campaign while scanning 1.7 million Linux container images hosted on Docker Hub for malicious payloads. One container showed indicators of cryptojacking when executed and further analysis revealed several similar containers uploaded by different accounts since May 2022 that download cryptocurrency miners hosted on GitHub. Judging by the comments used in the malicious scripts inside the containers, the researchers believe the attackers behind the campaign are from Indonesia.

When deployed on AWS using stolen credentials, the malicious Docker images execute a series of scripts, starting with one that sets up various AWS roles and permissions. One of the created roles is called AWSCodeCommit-Role and is given access to AWS Amplify service, a service that lets developers build, deploy and host full-stack web and mobile applications on AWS. This role also gets access to AWS CodeCommit, a managed source-code repository service, and AWS CloudWatch, an infrastructure monitoring and data visualization service.

A second role that is created by the container scripts is called sugo-role, and this role has full access to SageMaker, another AWS service that allows data scientists to build, train, and deploy machine-learning models. A third created role is ecsTaskExecutionRole with access to the Amazon Elastic Container Service (Amazon ECS), an AWS-native Docker container management system.

The attackers then start abusing the newly created roles in various services, beginning with AWS CodeCommit where they create a private Git repository that hosts the code they need for the next steps of their attack. This allows them to not leave the AWS ecosystem after the initial compromise, lowering the chances of outbound traffic alerts.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button