Photo: Sundry Photography / Shutterstock.com
A sophisticated cloud-native crypto jacking operation, AMBERSQUID, which leverages several AWS services not commonly associated with cyberattacks, including AWS Amplify, AWS Fargate, and Amazon SageMaker, costing its victims potentially more than $10,000 per day, was recently discovered.
The operation began in May 2022, with continued development through August of the same year. Attackers persisted by creating new accounts to push crypto miner images until March 2023, when they established a GitHub presence.
The Sysdig Threat Research Team (TRT) found out that the most notable aspect of AMBERSQUID is its ability to exploit cloud services without triggering the typical AWS resource approval process that would be activated if it were to target EC2 instances exclusively. The operation spans multiple AWS services, posing significant challenges for incident response efforts as attackers must be located and terminated across various exploited services.
Researchers analysed over 1.7 million Linux images on Docker Hub. Interestingly, this malicious container image avoided detection during static scans for known indicators or malicious binaries. Its malicious activities only became apparent when the container was executed, highlighting the limitations of static scanning alone.
While the exact origins of the attackers behind AMBERSQUID remain unconfirmed, there is medium confidence that they are based in Indonesia. Indonesian hackers are known to engage in activities such as cryptojacking and freejacking due to the low cost of living.

The initial container that triggered Sysdig’s investigation was discovered on Docker Hub, but the scope quickly expanded to include numerous accounts. These accounts often began with basic container images running crypto miners before transitioning to the AWS-specific services central to AMBERSQUID’s operation.
The attackers initiate their operation by creating roles granting extensive permissions within AWS services. AWS CodeCommit is utilised to create private repositories, allowing the attackers to contain their operation entirely within AWS. They automate the creation of CodeCommit repositories in multiple regions.
The attackers leverage AWS Amplify to create web pages, which are utilised to run crypto miners. This novel approach allows them to access computing resources while evading detection. The ‘ecs.sh’ script orchestrates cryptojacking within AWS ECS by creating roles and ECS clusters in Fargate and scaling the desired number of instances.
Amazon SageMager is then used to establish notebook instances, with scripts configured to run miners upon creation. Sysdig has estimated that the potential cost to victims of AMBERSQUID could be as high as $10,000, depending on the region and scale.
This operation highlights that less visible services like Amplify, CodeCommit, and SageMaker can also be a target for hackers.
In the News: Earth Lusca targets government agencies with SprySOCKS