Article Details

Crypto crooks co-opt stolen AWS creds to mine coins. 'Within 10 minutes of gaining initial access, crypto miners were operational'. Your AWS account could be quietly running someone else's cryptominer. Cryptocurrency thieves are using stolen Amazon account credentials to mine for coins at the expense of AWS customers, abusing their Elastic Container Service (ECS) and their Elastic Compute Cloud (EC2) resources, in an ongoing operation that started on November 2. The illicit cryptocurrency-mining campaign abuses compromised valid AWS Identity and Access Management (IAM) credentials with "admin-like privileges" - it doesn't exploit a vulnerability - and then uses this access to deploy mining tools on ECS and EC2, Amazon security engineer Kyle Koeller said in a blog this week. "Within 10 minutes of the threat actor gaining initial access, crypto miners were operational," Koeller wrote. The Register has asked Amazon how many customers were affected, and will update the story if we hear back. Amazon's GuardDuty threat detection service spotted the cryptomining operation and alerted customers, we're told.  After the crooks obtained the compromised AWS credentials, they checked EC2 service quotas to see how many instances they could launch, and tested their credential permissions by calling the RunInstances API multiple times with the DryRun flag enabled. This allowed them to ensure the credentials had sufficient privileges to proceed with their illicit mining, while not yet incurring compute charges and risking detection. They also created "dozens" of ECS clusters to enable their illegal activities, sometimes exceeding 50 in a single attack, and used auto scaling groups in EC2 to maximize service quotas and resource consumption. To make disruption more difficult - and thus allow the criminals to collect more cryptocurrency from stolen resources - they used ModifyInstanceAttribute with disable API termination set to true for persistence. This blocks the termination of AWS instances used for mining, and forces victims to take an extra step and re-enable API termination before deleting the impacted resources.  "The threat actor's scripted use of multiple compute services, in combination with emerging persistence techniques, represents an advancement in crypto mining persistence methodologies that security teams should be aware of," Koeller wrote. After deploying miners, the miscreants created an AWS Lambda function configured with no authentication and exposed it via a public Lambda Function URL, allowing them to maintain persistent access to the victims’ environments. To prevent becoming a victim of cryptomining abuse, Amazon recommends strong identity and access management controls, as well as temporary credentials instead of long-term access keys. As always, enforce multi-factor authentication (MFA) for all users, and apply least privilege to IAM.