To remain undetected for longer in cloud environments, attackers have started to abuse less-common services that don’t get a high level of security scrutiny. This is the case of a recently discovered cryptojacking operation, called AMBERSQUID, that deploys cryptocurrency mining malware on AWS Amplify, AWS Fargate, and Amazon SageMaker instead of the more obvious Amazon Elastic Compute Cloud (Amazon EC2).
“The AMBERSQUID operation was able to exploit cloud services without triggering the AWS requirement for approval of more resources, as would be the case if they only spammed EC2 instances,” researchers from security firm Sysdig said in a report. “Targeting multiple services also poses additional challenges, like incident response, since it requires finding and killing all miners in each exploited service.”
