Cryptojacking in the Cloud: Uncovering the Threat of Compromised AWS Credentials
Estimated read time 4 min read
Posted in Cybersecurity

Cryptojacking in the Cloud: Uncovering the Threat of Compromised AWS Credentials

Key Takeaways

  • An ongoing campaign is targeting Amazon Web Services (AWS) customers using compromised Identity and Access Management (IAM) credentials to enable cryptocurrency mining.
  • The attack employs never-before-seen persistence techniques to hamper incident response and continue unimpeded.
  • The threat actor uses compromised IAM user credentials with admin-like privileges to initiate a discovery phase and deploy crypto mining resources across ECS and EC2.
  • The attack involves creating dozens of ECS clusters, autoscaling groups, and Lambda functions to maximize resource consumption and exploit EC2 service quotas.
  • To secure against the threat, AWS customers are urged to enforce strong identity and access management controls, implement temporary credentials, use multi-factor authentication, and apply the principle of least privilege to IAM principals.

Introduction to the Threat
The tech giant Amazon has detected an ongoing campaign targeting its customers using compromised Identity and Access Management (IAM) credentials to enable cryptocurrency mining. The activity was first detected by Amazon’s GuardDuty managed threat detection service and its automated security monitoring systems on November 2, 2025. The threat actor employs never-before-seen persistence techniques to hamper incident response and continue unimpeded, making it a significant advancement in crypto mining attack methodologies.

The Attack Chain
The multi-stage attack chain begins with the unknown adversary leveraging compromised IAM user credentials with admin-like privileges to initiate a discovery phase designed to probe the environment for EC2 service quotas and test their permissions. The threat actor invokes the RunInstances API with the "DryRun" flag set, which enables them to validate their IAM permissions without actually launching instances, thereby avoiding racking up costs and minimizing their forensic trail. This step is crucial in determining if the target infrastructure is suitable for deploying the miner program. The infection proceeds to the next stage when the threat actor calls CreateServiceLinkedRole and CreateRole to create IAM roles for autoscaling groups and AWS Lambda, respectively.

Deployment of Crypto Mining Resources
Once the roles are created, the "AWSLambdaBasicExecutionRole" policy is attached to the Lambda role. The threat actor then creates dozens of ECS clusters across the environment, in some cases exceeding 50 ECS clusters in a single attack. The actor calls RegisterTaskDefinition with a malicious DockerHub image, which is configured to run a shell script as soon as it’s deployed to launch cryptocurrency mining using the RandomVIREL mining algorithm. Additionally, the threat actor creates autoscaling groups that are set to scale from 20 to 999 instances in an effort to exploit EC2 service quotas and maximize resource consumption.

Persistence Techniques
What makes this campaign stand apart is its use of the ModifyInstanceAttribute action with the "disableApiTermination" parameter set to "True," which prevents an instance from being terminated using the Amazon EC2 console, command line interface, or API. This technique demonstrates an understanding of common security response procedures and intent to maximize the duration of mining operations. The threat actor also creates a Lambda function that can be invoked by any principal and an IAM user "user-x1x2x3x4" to which the AWS managed policy "AmazonSESFullAccess" is attached, granting the adversary complete access over the Amazon Simple Email Service (SES) to likely carry out phishing attacks.

Security Risks and Implications
The security risk associated with ModifyInstanceAttribute has come to light before. In April 2024, security researcher Harsha Koushik demonstrated a proof-of-concept (PoC) that detailed how the action can be abused to take over instances, exfiltrate instance role credentials, and even seize control of the entire AWS account. The attacks entail the creation of a Lambda function and an IAM user with complete access over the Amazon Simple Email Service (SES), which can be used to carry out phishing attacks. The threat actor’s scripted use of multiple compute services, in combination with emerging persistence techniques, represents a significant advancement in crypto mining attack methodologies.

Recommendations for Securing Against the Threat
To secure against the threat, Amazon is urging AWS customers to follow several steps. These include enforcing strong identity and access management controls, implementing temporary credentials instead of long-term access keys, using multi-factor authentication (MFA) for all users, and applying the principle of least privilege (PoLP) to IAM principals to restrict access. Additionally, customers are advised to add container security controls to scan for suspicious images, monitor unusual CPU allocation requests in ECS task definitions, use AWS CloudTrail to log events across AWS services, and ensure AWS GuardDuty is enabled to facilitate automated response workflows. By following these steps, AWS customers can protect themselves against this ongoing campaign and prevent cryptocurrency mining attacks.

You May Also Like

More From Author

Ukraine War Could See US-Brokered Peace Proposals Presented to Russia Soon

Ukraine War Could See US-Brokered Peace Proposals Presented to Russia Soon

Sotheby’s Launches Luxury Sports and Entertainment Realty Division

Sotheby’s Launches Luxury Sports and Entertainment Realty Division

Leave a Reply

Your email address will not be published. Required fields are marked *