AmberSquid campaign

Type

Campaign

Actors

🦑AmberSquid

Pub. date

September 18, 2023

Initial access

Supply chain vector

Impact

Resource hijacking

Observed techniques

Cloud compute cryptojacking Backdoor Docker image

Targeted technologies

AWS Amplify AWS CloudFormation AWS Codebuild AWS ECS Amazon SageMaker

References

https://sysdig.com/blog/ambersquid/

Status

Finalized

Last edited

Jun 2, 2024 8:02 AM

Researchers uncovered a cryptojacking operation targeting AWS services such as AWS Amplify, AWS Fargate, and Amazon SageMaker to mine cryptocurrency. The timeline of this operation spans from May 2022 to March 2023. Initially, the attackers used Docker Hub accounts to distribute cryptominers, but in March 2023 they created a GitHub account to host repositories containing cryptominer binaries.