Amazon Web Services Targeted in Sophisticated Crypto Mining Campaign
A concerning trend has emerged as a new campaign targets Amazon Web Services (AWS) customers, utilizing compromised Identity and Access Management (IAM) credentials to facilitate illicit cryptocurrency mining operations.
Initial Detection by Amazon GuardDuty
This malicious activity was first identified on November 2, 2025, by Amazon’s GuardDuty service, which specializes in threat detection and security monitoring. Amazon’s preliminary analysis indicates that the attackers employed innovative persistence techniques aimed at undermining incident response efforts and ensuring uninterrupted mining activities.
How the Attack Operates
According to Amazon, the threat actor operated from an external hosting provider, swiftly gathering information about available resources and permissions. Within a mere ten minutes of gaining access, they launched crypto miners on both Elastic Container Service (ECS) and Elastic Compute Cloud (EC2) platforms.
The attack begins with adversaries exploiting compromised IAM user credentials—resembling administrative privileges—to enter a discovery phase. In this phase, they assess the target environment’s EC2 service quotas and validate permissions using the RunInstances API with the “DryRun” flag. This strategy smartly avoids costs and reduces the likelihood of detection by not actually launching any instances.
Progressing Through the Attack Stages
Once initial access is secured, the attacker escalates their operations by utilizing commands such as CreateServiceLinkedRole and CreateRole to create IAM roles tailored for autoscaling groups and AWS Lambda functions. Subsequently, they attach the “AWSLambdaBasicExecutionRole” policy to the newly created Lambda role.
Evidence suggests that the aggressors established numerous ECS clusters during this operation, with reports indicating instances of over 50 ECS clusters set up in a single attack. They exploited the RegisterTaskDefinition command to deploy a malicious DockerHub image (subsequently removed), which initiates cryptocurrency mining through a shell script upon deployment.
Scaling the Attack
This DockerHub image operates using the RandomVIREL mining algorithm. In a noteworthy strategy to maximize resource consumption, the attackers configured autoscaling groups capable of expanding from 20 to as many as 999 instances. Their target selection has encompassed high-performance GPU and machine learning instances, alongside standard compute, memory, and general-purpose instances.
Preventing Incident Response
A unique aspect of this campaign involves the use of the ModifyInstanceAttribute action, specifically with the “disableApiTermination” parameter set to True. This tactic effectively impedes instance termination via the AWS EC2 console, command line, or API. As a result, victims must first re-enable API termination protocols before they can delete affected resources, thereby complicating incident response efforts.
Amazon highlighted that such termination protection capabilities can significantly hinder remediation processes and may interfere with automated security responses. This advanced technique demonstrates that the attackers possess a firm understanding of typical security procedures, aiming to prolong their mining operations.
Recent Research Findings
This exploit isn’t entirely new; in April 2024, security researcher Harsha Koushik provided a proof-of-concept that illustrated potential abuses of the ModifyInstanceAttribute action, revealing its potential to compromise instances, extract instance role credentials, and even gain control over entire AWS accounts.
Furthermore, part of the attack mechanism involved the creation of a Lambda function that can be triggered by any entity, alongside an IAM user titled “user-x1x2x3x4,” which has the “AmazonSESFullAccess” policy attached. This grants attackers comprehensive access to the Amazon Simple Email Service (SES), likely facilitating phishing attacks.
Recommended Security Measures
In response to these threats, Amazon has urged AWS customers to adopt several precautionary measures:
- Strengthen identity and access management protocols
- Utilize temporary credentials instead of long-term access keys
- Implement multi-factor authentication (MFA) for all users
- Apply the principle of least privilege (PoLP) to restrict IAM principal access
- Introduce container security measures to screen for suspicious images
- Monitor unusual CPU allocation requests within ECS task definitions
- Activate AWS CloudTrail for comprehensive event logging across services
- Ensure AWS GuardDuty is enabled for streamlined automated response workflows
Amazon emphasized that the attackers’ skillful use of various compute services, combined with their innovative persistence strategies, marks a significant escalation in cryptocurrency mining attack techniques.
