New cryptojacking attacks target uncommon AWS instances

Bitcoin mining
(Image credit: Pixabay)

Cybersecurity researchers from Sysdig recently uncovered a new cryptojacking campaign that targeted uncommon Amazon Web Services (AWS) services.

Cryptojacking is a type of cyberattack in which the threat actor secretly installs a cryptocurrency miner on a target endpoint. While not malicious per se, miners bring profit to their owners, while the victims are left with inflated electricity and data bills, and a virtually unusable device (until the cryptojacker is removed). There are multiple uncommon AWS services, including AWS Amplify, AWS Fargate, and Amazon SageMaker, that were targeted here.

This campaign was dubbed AMBERSQUID. "The AMBERSQUID operation was able to exploit cloud services without triggering the AWS requirement for approval of more resources, as would be the case if they only spammed EC2 instances," said Alessandro Brucato, Sysdig security researcher.


"Targeting multiple services also poses additional challenges, like incident response, since it requires finding and killing all miners in each exploited service," the researchers added. 

Further investigation found that the attackers were mostly likely of Indonesian origin, as some of the scripts and usernames were written in the Indonesian language. By analyzing blockchain data associated with the cryptominers, the researchers were able to determine that the attackers generated at least $18,000 in profits. On the other hand, they estimate that AMBERSQUID could cost more than $10,000 a day, if it were scaled to target all AWS regions. 

Cryptojacking has been around for as long as cryptocurrency itself. Earlier this year, Microsoft found hackers brute-forcing their way into Linux-based IoT devices, and using them to mine cryptocurrencies. They even made sure that no rival cryptojackers were installed on the vulnerable endpoints. 

By far the most popular cryptojacking software is XMRig, a miner that generates a token known as Monero, or XMR. This is a token with a strong emphasis on privacy, with some arguing that it’s absolutely untraceable.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.