An ongoing cyberattack targets AWS customers by exploiting compromised IAM credentials to deploy cryptocurrency mining operations, utilizing sophisticated persistence techniques. Amazon warns users to enhance their security measures to prevent further damage and unauthorized resource consumption. #IAMCredentials #CryptoMining
Keypoints
- The attack involves the use of compromised IAM credentials with admin privileges to initiate mining activities on AWS infrastructure.
- Attackers create multiple ECS clusters and deploy malicious Docker images to run crypto mining scripts.
- The threat exploits the โdisableApiTerminationโ parameter to prevent instance termination, complicating incident response.
- Creating autoscaling groups with large instance counts aims to exploit resource quotas and maximize mining profit.
- Amazon advises implementing strong IAM controls, monitoring, and enabling GuardDuty for threat detection and automated response.
Read More: https://thehackernews.com/2025/12/compromised-iam-credentials-power-large.html