Infrequently used AWS services subjected to new AMBERSQUID cryptojacking attacks

Infrequently used Amazon Web Services products AWS Fargate, AWS Amplify, and Amazon SageMaker, have been targeted by the new Indonesian cloud-native cryptojacking operation AMBERSQUID for cryptomining activities, according to The Hacker News. Spamming EC2 instances enabled AMBERSQUID to perform cloud service exploitation without prompting the required approval for more resources in AWS, a report from Sysdig revealed. Attacks were facilitated through AWS CodeCommit exploitation to create a private repository containing the AWS Amplify app source code later used by a shell script to eventually deploy the cryptominer. Shell scripts were similarly used for cryptojacking in Amazon SageMaker and AWS Fargate, with researchers estimating that such attacks could result in over $10,000 in daily losses should they be targeted at all AWS regions. Such an attack comes months after Indonesian threat actor GUI-vil was reported to have conducted cryptomining activities through AWS Elastic Compute Cloud abuse but Sysdig Director of Threat Research Michael Clark noted no significant overlap between AMBERSQUID and GUI-vil.