top of page

Cryptojackers spread their nets to capture more than just EC2

Richard Speed

18 Sept 2023

As cloud native computing continues to gain popularity, so does the risk posed by criminals seeking to exploit the unwary. One newly spotted method targets services on the AWS platform, but not necessarily the ones you might think.

Researchers from the Sysdig Threat Research Team (TRT) have uncovered a cryptojacking operation dubbed "AMBERSQUID," which does not directly target EC2 instances that would trigger an approval for more resources.

Researchers said: "The uncommon nature of these services means that they are often overlooked from a security perspective, and the AMBERSQUID operation can cost victims more than $10,000 per day."

AMBERSQUID was discovered after more than 1.7 million Linux images were analyzed. A typical static scan didn't show any issues since it was only when the container was run that the nefarious activities became known.

The chaining together of uncommon services in the attack is a novel one. While EC2 is a well-known target, researchers urged security teams to remember that other services also provide access – if indirect – to compute resources, meaning that threat detection needs to be as broad as possible.

Researchers suspect, although cannot confirm, that the operation originates from Indonesian attackers due to the use of the Indonesian language in scripts and usernames

The team observed: "While this operation occurred on AWS, other CSPs [Cloud Service Providers] could easily be the next target."

bottom of page