Full Report
Researchers uncovered a cryptojacking operation targeting AWS services such as AWS Amplify, AWS Fargate, and Amazon SageMaker to mine cryptocurrency. The timeline of this operation spans from May 2022 to March 2023. Initially, the attackers used Docker Hub accounts to distribu...
Analysis Summary
# Incident Report: AmberSquid Cryptojacking Campaign
## Executive Summary
The AmberSquid campaign was an extensive cryptojacking operation targeting AWS environments, spanning from May 2022 to March 2023. Attackers leveraged supply chain vectors, initially using compromised Docker Hub accounts and later GitHub repositories, to distribute cryptominer binaries targeting services like AWS Amplify, Fargate, and SageMaker. The primary impact was resource hijacking for unauthorized cryptocurrency mining.
## Incident Details
- Discovery Date: September 18, 2023 (Publication Date of Analysis)
- Incident Date: May 2022 – March 2023
- Affected Organization: Undisclosed AWS Customers (Observed across multiple environments)
- Sector: Technology/Cloud Computing
- Geography: Global (Targeting public cloud infrastructure)
## Timeline of Events
### Initial Access
- **Date/Time:** Commenced May 2022
- **Vector:** Supply Chain compromise (Docker Hub accounts)
- **Details:** Attackers initially used malicious Docker Hub accounts to distribute containers hosting cryptominers.
### Lateral Movement
- **Date/Time:** March 2023 (Observed shift in technique)
- **Vector:** Supply Chain compromise (GitHub repositories)
- **Details:** Attackers shifted their distribution method to a GitHub account, hosting repositories that contained cryptominer binaries, likely injected into seemingly legitimate development workflows utilizing AWS services.
### Data Exfiltration/Impact
- **Date/Time:** Operational throughout the 11-month period.
- **Vector:** Resource Hijacking
- **Details:** The primary impact was the unauthorized use of victim's compute resources (AWS Fargate, SageMaker, Amplify) for cryptocurrency mining. No evidence of direct data theft or exfiltration was explicitly mentioned in the context.
### Detection & Response
- **Date/Time:** Analysis published on September 18, 2023.
- **Details:** The campaign was uncovered and analyzed by security researchers (Sysdig). Response actions by the threat actors involved evolving their distribution method from Docker Hub to GitHub in March 2023.
## Attack Methodology
- **Initial Access:** Supply chain compromise via compromised Docker Hub accounts and subsequent hosting of malicious code in GitHub repositories.
- **Persistence:** Not explicitly detailed, but leveraged the execution environment within the targeted AWS compute services.
- **Privilege Escalation:** Not explicitly detailed, but necessary to execute mining operations on target AWS services.
- **Defense Evasion:** Utilizing common public artifact repositories (Docker Hub, GitHub) to mask malicious binaries initially.
- **Credential Access:** Not explicitly detailed.
- **Discovery:** Not explicitly detailed.
- **Lateral Movement:** Focus was on persistent execution within compromised cloud environments rather than traditional network lateral movement.
- **Collection:** N/A (Focus was on resource utilization, not data gathering).
- **Exfiltration:** Cryptocurrency mined results were exfiltrated (implied, necessary for cryptojacking).
- **Impact:** Resource hijacking (Cryptojacking).
## Impact Assessment
- **Financial:** Increased cloud compute costs for victims due to sustained cryptomining activity.
- **Data Breach:** No specific data breach confirmed, the focus was on resource consumption.
- **Operational:** Potential service degradation or throttling on targeted AWS services (Amplify, Fargate, SageMaker) due to computational overload.
- **Reputational:** Potential customer trust erosion for organizations relying on affected software components.
## Indicators of Compromise
*Note: As the context is high-level, specific IoCs are not provided. Behavioral IoCs related to the campaign are inferred.*
- **Network indicators (Defanged):** Communication with known cryptocurrency mining pools originating from AWS compute instances.
- **File indicators:** Cryptominer binaries hosted on Docker Hub or GitHub repositories associated with the campaign.
- **Behavioral indicators:** Unexpected high CPU/GPU utilization detected on AWS Fargate, SageMaker, or Amplify execution environments outside of planned workloads.
## Response Actions
*Response actions are primarily those taken by the research community and implied remediation by AWS/users.*
- **Containment measures:** Removal/deletion of malicious Docker images and compromised GitHub repositories identified by researchers. Security teams would need to revoke potentially exposed credentials and isolate affected cloud workloads.
- **Eradication steps:** Auditing configurations for AWS Fargate, Amplify, and SageMaker to remove any persistence mechanisms established by the miners.
- **Recovery actions:** Restoring compute environments to known good baselines and strengthening supply chain verification processes.
## Lessons Learned
- Reliance on public repositories (Docker Hub, GitHub) for trusted components creates significant supply chain risk.
- Monitoring resource utilization (CPU/Memory) on ephemeral cloud compute services (Fargate, Containers) must be a high priority, as it is a key indicator for cryptojacking.
- Attackers will adapt their distribution methods when one vector becomes saturated or detected (shifting from Docker Hub to GitHub).
## Recommendations
- Implement strict provenance checks for all container images and artifacts pulled from public or third-party registries.
- Enforce least privilege access across AWS services, ensuring compute roles cannot easily provision excessive resources or exfiltrate large amounts of data.
- Implement real-time monitoring and anomaly detection specifically tuned for abnormal cloud compute usage patterns indicative of cryptojacking (e.g., sustained 100% CPU usage on compute instances).