Full Report
'Within 10 minutes of gaining initial access, crypto miners were operational' Your AWS account could be quietly running someone else's cryptominer. Cryptocurrency thieves are using stolen Amazon account credentials to mine for coins at the expense of AWS customers, abusing their Elastic Container Service (ECS) and their Elastic Compute Cloud (EC2) resources, in an ongoing operation that started on November 2.…
Analysis Summary
# Tool/Technique: AWS Cryptomining Abuse (Leveraging Stolen Credentials)
## Overview
This describes an ongoing, automated campaign where threat actors use stolen, valid AWS Identity and Access Management (IAM) credentials—often with "admin-like privileges"—to establish cryptocurrency mining operations on compromised customer infrastructure, primarily leveraging Amazon EC2 and ECS services. The objective is resource misappropriation for financial gain through crypto mining.
## Technical Details
- Type: Technique (Abuse of legitimate cloud services/credentials)
- Platform: Amazon Web Services (AWS) - Specifically EC2 and ECS services.
- Capabilities: Rapid deployment of cryptominers, persistence enablement, and credential testing.
- First Seen: Operation started on November 2 (article published December 18, 2025).
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1078.004 - Valid Accounts: Cloud Accounts (Leveraging stolen IAM credentials)
- TA0004 - Privilege Escalation (Implicit, via use of admin-like keys)
- TA0008 - Lateral Movement (Not explicitly detailed, but implied if compromised keys span organizational units)
- TA0011 - Persistence
- T1536.004 - Persistent Cloud Instance Activity (Via disabling termination)
- TA0016 - Resource Hijacking
- T1496 - Resource Hijacking (Specifically for cryptocurrency mining)
## Functionality
### Core Capabilities
- **Credential Harvesting/Use:** Abusing previously compromised valid AWS IAM credentials to interact with AWS APIs.
- **Service Quota Identification:** Checking EC2 service quotas via API calls to determine maximum launch capacity for resource consumption.
- **Privilege Verification:** Testing credential permissions using the `RunInstances` API call with the `DryRun` flag enabled to ensure sufficient privileges without incurring costs or raising immediate alarms.
- **Resource Deployment:** Deploying mining tools onto EC2 instances and creating dozens of ECS clusters (sometimes exceeding 50 per attack) to host the miners.
- **Rapid Operationalization:** Miners become operational within 10 minutes of initial access.
### Advanced Features
- **Persistence Mechanism:** Using the `ModifyInstanceAttribute` API call to set `disable API termination` to `true` for launched EC2 instances, blocking standard termination by the victim or automated cleanup scripts.
- **Access Maintenance:** Creating an AWS Lambda function configured with no authentication and exposed via a public Lambda Function URL to maintain access to the victim's environment even if initial access credentials expire or change.
- **Scalability:** Utilizing EC2 Auto Scaling groups to maximize service quotas and resource consumption efficiently.
## Indicators of Compromise
- File Hashes: N/A (Focus is on API usage and cloud resource configuration, not traditional file malware drop)
- File Names: N/A (Focus is on cloud service deployment)
- Registry Keys: N/A
- Network Indicators: Interaction with AWS control plane APIs (e.g., `ec2:RunInstances`, `ec2:ModifyInstanceAttribute`, `lambda:CreateFunction`).
- Behavioral Indicators:
- Rapid successive API calls to check quotas and test `RunInstances` with `DryRun`.
- Creation of numerous ECS clusters.
- Attempts to set `DisableApiTermination` attribute to true on running instances.
- Creation of publicly accessible Lambda Function URLs configured with no authentication.
## Associated Threat Actors
- Undocumented cryptocurrency thieves/cryptojackers targeting public cloud environments.
## Detection Methods
- **Signature-based detection:** Limited, as legitimate AWS APIs are used. Detection relies heavily on behavioral anomaly monitoring.
- **Behavioral detection:** Monitoring for anomalous API call patterns indicative of setup (DryRun testing, quota checks) and modification (disabling termination). Amazon GuardDuty service successfully spotted this operation.
- **YARA rules:** N/A (Cloud API-centric attack).
## Mitigation Strategies
- **IAM Best Practices:** Enforce the principle of least privilege for all IAM users and roles.
- **Credential Management:** Use temporary credentials instead of long-term access keys whenever possible.
- **Authentication:** Strictly enforce Multi-Factor Authentication (MFA) for all users.
- **Service Control Policies (SCPs):** Implement SCPs to prevent critical actions like disabling API termination or limiting resource deployment.
- **Monitoring/Alerting:** Configure alerts for high-volume API calls, changes to instance attributes (especially termination settings), and the creation of publicly exposed Lambda Function URLs without proper authorization.
## Related Tools/Techniques
- Standard cryptomining malware (e.g., XMRig) deployed via legitimate cloud mechanisms.
- Use of compromised Service Accounts or IAM Roles instead of traditional user credentials.
- Similar persistence techniques seen in other cloud threat actor groups attempting to secure their foothold for C2 or resource hijacking.