lconstantin
CSO Senior Writer

AWS cryptojacking campaign abuses less-used services to hide

News Analysis
18 Sep 20236 mins
Cloud SecurityCybercrimeMalware

The AMBERSQUID cryptojacking campaign exploits cloud services without triggering AWS approval processes.

To remain undetected for longer in cloud environments, attackers have started to abuse less-common services that don’t get a high level of security scrutiny. This is the case of a recently discovered cryptojacking operation, called AMBERSQUID, that deploys cryptocurrency mining malware on AWS Amplify, AWS Fargate, and Amazon SageMaker instead of the more obvious Amazon Elastic Compute Cloud (Amazon EC2).

“The AMBERSQUID operation was able to exploit cloud services without triggering the AWS requirement for approval of more resources, as would be the case if they only spammed EC2 instances,” researchers from security firm Sysdig said in a report. “Targeting multiple services also poses additional challenges, like incident response, since it requires finding and killing all miners in each exploited service.”

How the AMBERSQUID cryptojacking campaign works

The Sysdig researchers came across the cryptojacking campaign while scanning 1.7 million Linux container images hosted on Docker Hub for malicious payloads. One container showed indicators of cryptojacking when executed and further analysis revealed several similar containers uploaded by different accounts since May 2022 that download cryptocurrency miners hosted on GitHub. Judging by the comments used in the malicious scripts inside the containers, the researchers believe the attackers behind the campaign are from Indonesia.

When deployed on AWS using stolen credentials, the malicious Docker images execute a series of scripts, starting with one that sets up various AWS roles and permissions. One of the created roles is called AWSCodeCommit-Role and is given access to AWS Amplify service, a service that lets developers build, deploy and host full-stack web and mobile applications on AWS. This role also gets access to AWS CodeCommit, a managed source-code repository service, and AWS CloudWatch, an infrastructure monitoring and data visualization service.

A second role that is created by the container scripts is called sugo-role, and this role has full access to SageMaker, another AWS service that allows data scientists to build, train, and deploy machine-learning models. A third created role is ecsTaskExecutionRole with access to the Amazon Elastic Container Service (Amazon ECS), an AWS-native Docker container management system.

The attackers then start abusing the newly created roles in various services, beginning with AWS CodeCommit where they create a private Git repository that hosts the code they need for the next steps of their attack. This allows them to not leave the AWS ecosystem after the initial compromise, lowering the chances of outbound traffic alerts.

The Git repository is used to host the code for a malicious app designed to be built and deployed with the AWS Amplify service. The script then generates five Amplify apps to be deployed in different AWS regions and as part of their building scripts, one command downloads and runs a cryptominer. Since the cryptomining and resource theft happens during the app building, the attackers added code to prolong this process as much as possible. When the apps eventually finish building, another script is executed that updates the code and the process is restarted, starting the building phase again and therefore the cryptomining.

Another script from the container sets up a similar process, but on the Amazon ECS service, which allows deploying containers to EC2 instances, AWS Fargate — Amazon’s serverless compute engine — or on-premises virtual machines.

The script gives the needed permissions to the ecsTaskExecutionRole account, which is then used to set up an ECS task that sets up a container on AWS Fargate with two virtual CPUs and 4GB of RAM and deploys a Linux image that bundles a miner. The task is configured with a desiredCount of 30, which means 30 instances will be created.

Yet another target in this campaign is AWS CodeBuild, a continuous integration service that can be used to compile and test source code. The specification file for CodeBuild to execute tasks can include build commands and the attackers included commands to execute their miner. The attackers also set the "timeout-in-minutes" value for the build task to the maximum of eight hours to ensure their miner will run for that long before being restarted.

Next, the attackers targeted AWS CloudFormation, an infrastructure-as-code service that allows users to provision AWS and third-party resources via templates. These resources can be grouped into stacks and controlled as one unit.

“The attackers’ scripts create several CloudFormation stacks that originated from a template that defines an EC2 Image Builder component,” the researchers said. “Within this component, they put commands to run a miner during the build phase of the image. This is similar to the commands that can be defined in a Dockerfile.”

Like with Amplify and CodeBuild, the mining process is spawned during a build phase. The attackers tried to prolong it as much as possible by adding cron commands in the template to start a new build every minute.

The attackers also abused Amazon EC2 Auto Scaling, a feature that allows users to add or remove EC2 instances using scaling policies defined in templates. This feature was used to create two groups of eight On-Demand and Spot instances each running a Docker container image with a miner.

Finally, the hackers also abused machine learning compute instances running in Jupyter Notebook App as part of the Amazon SageMaker service. For every Jupyter Notebook instance, users can define a lifecycle configuration that includes a collection of shell scripts that get executed when instances are created. They used this functionality to include a command that executes Docker and deploys one of their Docker Hub images containing a miner. By abusing all these services with rogue container instances and build tasks executed in different regions, victims can incur running costs of $2,244 per day and higher, according to the Sysdig researchers.

Cryptojackers can abuse any service with access to compute resources

“Cloud Service Providers (CSPs) like AWS provide a vast array of different services for their customers,” the researchers said. “While most financially motivated attackers target compute services, such as EC2, it is important to remember that many other services also provide access to compute resources (albeit it more indirectly). It is easy for these services to be overlooked from a security perspective since there is less visibility compared to that available through runtime threat detection.”

Since many of these services are only meant to execute code temporarily, installing runtime detection solutions is not always viable. In that case, organizations should have logging and monitoring in place for the usage trends of such services on their accounts to identify anomalies and suspicious behavior.