Type
Campaign
Actors
AmberSquid
Pub. date
September 18, 2023
Initial access
Supply chain vector
Impact
Resource hijacking
Observed techniques
Cloud compute cryptojackingBackdoor Docker image
Targeted technologies
AWS AmplifyAWS CloudFormationAWS CodebuildAWS ECSAmazon SageMaker
References
https://sysdig.com/blog/ambersquid/
Status
Finalized
Last edited
Jun 2, 2024 8:02 AM
Researchers uncovered a cryptojacking operation targeting AWS services such as AWS Amplify, AWS Fargate, and Amazon SageMaker to mine cryptocurrency. The timeline of this operation spans from May 2022 to March 2023. Initially, the attackers used Docker Hub accounts to distribute cryptominers, but in March 2023 they created a GitHub account to host repositories containing cryptominer binaries.