Cybersecurity

Compromised Iam Credentials Power A Large Aws Crypto Mining Campaign

2025-12-16 0 views admin
Compromised Iam Credentials Power A Large Aws Crypto Mining Campaign

An ongoing campaign has been observed targeting Amazon Web Services (AWS) customers using compromised Identity and Access Management (IAM) credentials to enable cryptocurrency mining.

The activity, first detected by Amazon's GuardDuty managed threat detection service and its automated security monitoring systems on November 2, 2025, employs never-before-seen persistence techniques to hamper incident response and continue unimpeded, according to a new report shared by the tech giant ahead of publication.

"Operating from an external hosting provider, the threat actor quickly enumerated resources and permissions before deploying crypto mining resources across ECS and EC2," Amazon said. "Within 10 minutes of the threat actor gaining initial access, crypto miners were operational."

The multi-stage attack chain essentially begins with the unknown adversary leveraging compromised IAM user credentials with admin-like privileges to initiate a discovery phase designed to probe the environment for EC2 service quotas and test their permissions by invoking the RunInstances API with the "DryRun" flag set.

This enabling of the "DryRun" flag is crucial and intentional as it enables the attackers to validate their IAM permissions without actually launching instances, thereby avoiding racking up costs and minimizing their forensic trail. The end goal of the step is to determine if the target infrastructure is suitable for deploying the miner program.

The infection proceeds to the next stage when the threat actor calls CreateServiceLinkedRole and CreateRole to create IAM roles for autoscaling groups and AWS Lambda, respectively. Once the roles are created, the "AWSLambdaBasicExecutionRole" policy is attached to the Lambda role.

In the activity observed to date, the threat actor is said to have created dozens of ECS clusters across the environment, in some cases exceeding 50 ECS clusters in a single attack.

"They then called RegisterTaskDefinition with a malicious DockerHub image yenik65958/secret:user," Amazon said. "With the same string used for the cluster creation, the actor then created a service, using the task definition to initiate crypto mining on ECS Fargate nodes."

The DockerHub image, which has since been taken down, is configured to run a shell script as soon as it's deployed to launch cryptocurrency mining using the RandomVIREL mining algorithm. Additionally, the threat actor has been observed creating autoscaling groups that are set to scale from 20 to

Source: The Hacker News

🏷️ Tags

securityattackthreat

More from Cybersecurity

Cyber: Phishing Campaign Targets Freight And Logistics Orgs In The Us, Europe

Cyber: Phishing Campaign Targets Freight And Logistics Orgs In The Us, Europe

2026-02-24 0
Cyber: Wynn Resorts Confirms Employee Data Breach After Extortion Threat

Cyber: Wynn Resorts Confirms Employee Data Breach After Extortion Threat

2026-02-24 0
Cyber: 1campaign Platform Helps Malicious Google Ads Evade Detection

Cyber: 1campaign Platform Helps Malicious Google Ads Evade Detection

2026-02-24 0
Cyber: New Attackers Now Need Just 29 Minutes To Own A Network 2026

Cyber: New Attackers Now Need Just 29 Minutes To Own A Network 2026

2026-02-24 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views