Amazon’s AWS GuardDuty team has identified a crypto-mining campaign that exploits compromised IAM credentials to target EC2 and ECS services, employing persistent methods to hinder incident response. The threat actor used a malicious Docker image and automated scripts to maximize mining operations, causing financial and resource exhaustion for AWS customers. #CryptoMining #IAMCompromise
Keypoints
- The attack started on November 2nd and targeted AWS EC2 and ECS using stolen IAM credentials.
- The threat actor employed a Docker Hub image created at the end of October with over 100,000 pulls.
- The campaign included rapid cryptomining activities within 10 minutes of initial access, with automated deployment across many instances.
- New persistence methods involved disabling API termination, complicating incident response efforts.
- Amazon responded by alerting customers and removing the malicious Docker image from Docker Hub.