Full Report
Datadog observed an attacker leveraging a compromised IAM user access key to gain initial access to an AWS environment, at which point they immediately began spinning up hundreds of ECS Fargate clusters, within which they created ECS task definitions to launch containers based...
Analysis Summary
# Incident Report: AWS ECS Fargate Cryptojacking Campaign
## Executive Summary
An attacker gained initial access to an AWS environment using a compromised IAM user access key. Upon gaining entry, the threat actor immediately launched a large-scale cryptojacking operation by deploying hundreds of ECS Fargate clusters and thousands of malicious containers running XMRig. The incident highlights the risk associated with exposed credentials leading directly to resource exploitation.
## Incident Details
- Discovery Date: January 19, 2024 (based on observation date/report publication)
- Incident Date: Unknown (Occurred around or before Jan 19, 2024)
- Affected Organization: Unknown (Observed by Datadog)
- Sector: Cloud Computing/Technology Services
- Geography: Unknown (AWS Environment)
## Timeline of Events
### Initial Access
- Date/Time: Unknown
- Vector: Compromised IAM User Access Key
- Details: Attacker leveraged valid, exposed IAM user access key credentials to authenticate to the AWS environment.
### Lateral Movement
- Date/Time: Immediately following access
- Vector: AWS Service API Calls (ECS/Fargate)
- Details: The attacker immediately began provisioning infrastructure by spinning up hundreds of ECS Fargate clusters. Within these clusters, they created custom ECS task definitions pointing to malicious public Docker Hub images.
### Data Exfiltration/Impact
- Date/Time: During container execution
- Vector: Resource Hijacking (Cryptomining)
- Details: The primary impact was the unauthorized use of the victim's compute resources to mine Monero (XMRig). The attacker successfully launched thousands of mining containers.
### Detection & Response
- Date/Time: Observed by Datadog systems
- Details: The activity was observed and reported by Datadog security researchers. (Specific organizational response actions were not detailed in the provided context.)
## Attack Methodology
- Initial Access: Compromised IAM User Access Key
- Persistence: Not explicitly detailed, but likely relied on the active, standing IAM key or subsequent privilege/resource creation.
- Privilege Escalation: Not explicitly detailed, but the initial key provided adequate permissions to modify and provision ECS resources.
- Defense Evasion: Using legitimate AWS services (ECS Fargate) for malicious activity.
- Credential Access: Compromised IAM access key.
- Discovery: Not explicitly detailed, but the swift resource provisioning suggests the attacker knew which services (ECS) to target.
- Lateral Movement: Movement across the victim's environment via successive AWS API calls leveraging the initial credentials.
- Collection: N/A (Focus was on resource utilization, not data theft).
- Exfiltration: N/A (Cryptocurrency funds are the resulting asset, not user data).
- Impact: Cloud compute cryptojacking via resource hijacking.
## Impact Assessment
- Financial: Significant consumption of AWS Fargate compute resources, leading to unexpected and high billing costs for the victim organization.
- Data Breach: No indication of sensitive data exfiltration.
- Operational: Potential performance degradation or resource unavailability due to the thousands of running tasks consuming allocated capacity.
- Reputational: Potential impact if the incident were made public or impacted customer-facing services.
## Indicators of Compromise
- Behavioral indicators: Rapid provisioning of hundreds of ECS Fargate clusters; creation of numerous ECS Task Definitions referencing unknown public container images; consistent execution of cryptomining payloads (XMRig) within containers.
- Network indicators: Outbound connections from Fargate tasks to known Monero mining pools (Specific IPs/URLs defanged).
- File indicators: Presence of containers executing XMRig binary.
## Response Actions
(Note: Specific actions taken by the victim organization are not detailed in the input context. Generic steps based on discovery are listed.)
- Containment measures: Disabling or revoking the compromised IAM user access key credentials immediately.
- Eradication steps: Terminating all unauthorized ECS services, tasks, and clusters deployed by the attacker. Scanning environment for other potential persistence mechanisms.
- Recovery actions: Auditing IAM policies to ensure least privilege was enforced for the user associated with the compromised key.
## Lessons Learned
- Exposed credentials (even seemingly low-privileged ones) can lead to immediate and severe resource compromise if they allow for resource provisioning (e.g., launching EC2/Fargate).
- The reliance on public Docker images for initial container deployment is a common pivot point in cloud compromise scenarios.
## Recommendations
- Implement mandatory credential rotation policies for all IAM access keys.
- Enforce Multi-Factor Authentication (MFA) on all IAM users, especially those with API access.
- Apply stricter resource quotas and anomaly detection on resource creation APIs (like ECS RunTask/CreateService) to flag sudden bursts in provisioning activity.
- Utilize scanning tools to vet all container images referenced in Task Definitions before they are allowed to run in production environments.