## crypto Mining Campaign Targets AWS Customers via Compromised IAM Credentials
An ongoing campaign has been observed targeting Amazon Web Services (AWS) customers using compromised Identity and Access Management (IAM) credentials to enable cryptocurrency mining.
The activity, first detected by AmazonS GuardDuty managed threat detection service and its automated security monitoring systems on November 2, 2025, employs never-before-seen persistence techniques to hamper incident response and continue unimpeded, according to a new report shared by the tech giant ahead of publication.
“Operating from an external hosting provider,the threat actor quickly enumerated resources and permissions before deploying crypto mining resources across ECS and EC2,” Amazon said. “Within 10 minutes of the threat actor gaining initial access, crypto miners were operational.”
The multi-stage attack chain essentially begins with the unkown adversary leveraging compromised IAM user credentials with admin-like privileges to initiate a revelation phase designed to probe the environment for EC2 service quotas and test their permissions by invoking the RunInstances API with the “DryRun” flag set.
This enabling of the “DryRun” flag is crucial and intentional as it enables the attackers to validate their IAM permissions without actually launching instances, thereby avoiding racking up costs and minimizing their forensic trail. The end goal of the step is to determine if the target infrastructure is suitable for deploying the miner program.
AWS Warns of Refined Crypto Mining Attacks Targeting Multiple Compute Services
Amazon Web services (AWS) has issued a warning about a recent surge in sophisticated crypto mining attacks. These attacks leverage multiple AWS compute services in a coordinated manner, employing emerging persistence techniques that represent a notable escalation in attacker methodology. The attacks highlight the need for robust security measures and proactive monitoring of AWS environments.
Publication Date: 2025/12/17 09:00
Understanding the Threat
The threat actor is utilizing a scripted approach to deploy crypto mining operations across various AWS services, including EC2, ECS, and Lambda. This multi-service approach allows attackers to distribute their workload and evade detection. The use of emerging persistence techniques indicates a higher level of sophistication, enabling attackers to maintain access to compromised environments for extended periods.This differs from previous, more opportunistic attacks.
Attack Vectors and Techniques
While AWS hasn’t publicly detailed all specific attack vectors,the report indicates a focus on exploiting vulnerabilities or misconfigurations within AWS services. Attackers are likely leveraging:
- compromised Credentials: Stolen or weak AWS credentials remain a primary attack vector.
- Vulnerable Applications: Exploiting vulnerabilities in applications running on AWS.
- Misconfigured Services: Taking advantage of improperly configured security groups, IAM roles, or other AWS settings.
- Container Image Vulnerabilities: Utilizing compromised or vulnerable container images.
AWS Recommended Security Measures
AWS has provided a list of recommended security measures to mitigate the risk of these attacks. Implementing these controls is crucial for protecting AWS environments.
- Implement strong Identity and Access Management (IAM) policies to restrict access to AWS resources.
- Add container security controls to scan for suspicious images. ECS security best practices recommend regular image scanning.
- Monitor unusual CPU allocation requests in ECS task definitions. Unexpectedly high CPU requests could indicate malicious activity.
- Use AWS CloudTrail to log events across AWS services for auditing and forensic analysis.
- ensure AWS GuardDuty is enabled to facilitate automated threat detection and response workflows.
The Evolution of Crypto Mining Attacks
According to Amazon, “The threat actor’s scripted use of multiple compute services, in combination with emerging persistence techniques, represents a significant advancement in crypto mining attack methodologies.” This highlights a concerning trend: attackers are becoming more organized and sophisticated in their approach to crypto mining on cloud platforms. Previously, attacks were frequently enough opportunistic and short-lived.Now, attackers are demonstrating a greater understanding of cloud infrastructure and a commitment to long-term persistence.
Key Takeaways
- Crypto mining attacks on AWS are becoming more sophisticated.
- Attackers are leveraging multiple AWS services to distribute their workload.
- Emerging persistence techniques allow attackers to maintain access for longer periods.
- Proactive security measures and continuous monitoring are essential for mitigating the risk.
FAQ
What is crypto mining?
Crypto mining is the process of verifying and adding transaction records to a public ledger (blockchain). It requires significant computational power, which attackers often attempt to obtain by hijacking resources from cloud providers like AWS.
What is AWS GuardDuty?
AWS GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and unauthorized behavior. It uses machine learning and threat intelligence to identify potential security threats.
How can I prevent my AWS account from being compromised?
Implementing strong IAM policies, enabling multi-factor authentication (MFA), regularly auditing your AWS configuration, and keeping your software up to date are all crucial steps in preventing account compromise.
As cloud environments become increasingly complex, staying ahead of evolving threats requires a proactive and layered security approach. Continuous monitoring, robust security controls, and a commitment to best practices are essential for protecting AWS workloads from crypto mining attacks and other malicious activities.