AWS Crypto Mining Campaign Using Compromised IAM Credentials

December 17, 2025 Faeem BLOGS 0

A large‑scale cryptocurrency mining campaign has been uncovered targeting Amazon Web Services (AWS) customers. Attackers are abusing compromised IAM credentials to spin up massive compute resources across ECS and EC2, while employing persistence techniques that make remediation difficult.

Key Findings

  • Detection: First flagged by Amazon GuardDuty on November 2, 2025.
  • Speed: Crypto miners operational within 10 minutes of initial access.
  • Initial access:
    • Attackers used IAM credentials with admin‑like privileges.
    • Invoked RunInstances API with DryRun flag to validate permissions without launching costly instances.
  • Persistence tactics:
    • Created IAM roles for autoscaling groups and Lambda functions.
    • Attached AWSLambdaBasicExecutionRole policy.
    • Registered malicious DockerHub image (yenik65958/secret:user) to ECS Fargate nodes.
    • Created 50+ ECS clusters in some attacks.

Technical Details

  • Malicious Docker image: Configured to run a shell script launching crypto mining via RandomVIREL algorithm.
  • Autoscaling abuse: Groups scaled from 20 to 999 instances, maximizing EC2 quotas.
  • Targeted resources: High‑performance GPU, ML instances, compute, memory, and general‑purpose EC2 types.
  • Persistence trick:
    • Used ModifyInstanceAttribute with disableApiTermination=True.
    • Prevents victims from terminating instances via console, CLI, or API.
    • Forces manual re‑enablement, delaying incident response.

Additional Malicious Activity

  • Created Lambda functions invokable by any principal.
  • IAM user user-x1x2x3x4 granted AmazonSESFullAccess, enabling potential phishing campaigns via AWS SES.
  • Technique demonstrates deep knowledge of AWS response procedures and intent to maximize mining uptime.

Defensive Recommendations

Amazon advises customers to:

  • Enforce strong IAM controls.
  • Use temporary credentials instead of long‑term keys.
  • Enable multi‑factor authentication (MFA) for all users.
  • Apply least privilege (PoLP) to IAM principals.
  • Add container security scanning for suspicious images.
  • Monitor unusual CPU allocation requests in ECS task definitions.
  • Use AWS CloudTrail for logging across services.
  • Ensure GuardDuty is enabled for automated detection and response.

Takeaway

This campaign highlights how attackers are evolving beyond simple cryptojacking:

  • Persistence techniques like disabling API termination show awareness of AWS remediation workflows.
  • Multi‑service orchestration (ECS, EC2, Lambda, SES) demonstrates a scripted, scalable attack chain.
  • Organizations must treat IAM credentials as high‑value assets and enforce strict controls to prevent compromise.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.