"An ongoing campaign has been observed targeting Amazon Web Services (AWS) customers using compromised Identity and Access Management ( IAM) credentials to enable cryptocurrency mining. The activity, first detected by Amazon's GuardDuty managed threat detection service and its automated security monitoring systems on November 2, 2025, employs never-before-seen persistence techniques to hamper incident response and continue unimpeded, according to a new report shared by the tech giant ahead of publication."
"The multi-stage attack chain essentially begins with the unknown adversary leveraging compromised IAM user credentials with admin-like privileges to initiate a discovery phase designed to probe the environment for EC2 service quotas and test their permissions by invoking the RunInstances API with the "DryRun" flag set. This enabling of the "DryRun" flag is crucial and intentional as it enables the attackers to validate their IAM permissions without actually launching instances, thereby avoiding racking up costs and minimizing their forensic trail."
"The infection proceeds to the next stage when the threat actor calls CreateServiceLinkedRole and CreateRole to create IAM roles for autoscaling groups and AWS Lambda, respectively. Once the roles are created, the " AWSLambdaBasicExecutionRole" policy is attached to the Lambda role. In the activity observed to date, the threat actor is said to have created dozens of ECS clusters across the environment, in some cases exceeding 50 ECS clusters in a single attack."
Compromised AWS IAM credentials with admin-like privileges are being used to deploy cryptocurrency miners across ECS and EC2. The attackers operate from external hosting providers, rapidly enumerating resources and permissions and validating IAM access using the RunInstances DryRun flag to avoid costs and forensic traces. The chain includes creating service-linked roles and Lambda roles, attaching the AWSLambdaBasicExecutionRole policy, and launching dozens of ECS clusters — sometimes more than 50 per attack. GuardDuty detected the activity on November 2, 2025. Novel persistence techniques hinder incident response and enable miners to become operational within ten minutes.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]