Crypto crooks co-opt stolen AWS creds to mine coins

Crypto crooks co-opt stolen AWS creds to mine coins

Briefly

"Your AWS account could be quietly running someone else's cryptominer. Cryptocurrency thieves are using stolen Amazon account credentials to mine for coins at the expense of AWS customers, abusing their Elastic Container Service (ECS) and their Elastic Compute Cloud (EC2) resources, in an ongoing operation that started on November 2. The illicit cryptocurrency-mining campaign abuses compromised valid AWS Identity and Access Management (IAM) credentials with "admin-like privileges" - it doesn't exploit a vulnerability -"

"Amazon's GuardDuty threat detection service spotted the cryptomining operation and alerted customers, we're told. After the crooks obtained the compromised AWS credentials, they checked EC2 service quotas to see how many instances they could launch, and tested their credential permissions by calling the RunInstances API multiple times with the DryRun flag enabled. This allowed them to ensure the credentials had sufficient privileges to proceed with their illicit mining, while not yet incurring compute charges and risking detection."

"They also created "dozens" of ECS clusters to enable their illegal activities, sometimes exceeding 50 in a single attack, and used auto scaling groups in EC2 to maximize service quotas and resource consumption. To make disruption more difficult - and thus allow the criminals to collect more cryptocurrency from stolen resources - they used ModifyInstanceAttribute with disable API termination set to true for persistence. This blocks the termination of AWS instances used for mining, and forces victims to take an extra step and re-enable API termination befo"