Massive AWS Crypto Mining Operation Exploits Compromised IAM Credentials
A sophisticated cyber campaign has been identified, targeting Amazon Web Services (AWS) customers by exploiting compromised Identity and Access Management (IAM) credentials to deploy large-scale cryptocurrency mining operations. First detected on November 2, 2025, by Amazon’s GuardDuty—a managed threat detection service—the attackers have employed advanced persistence techniques to evade detection and maintain their illicit activities.
Initial Access and Discovery Phase
The attackers gained initial access by leveraging IAM user credentials with administrative privileges. They initiated a discovery phase to assess the environment’s Elastic Compute Cloud (EC2) service quotas and validate their permissions. This was achieved by invoking the `RunInstances` API with the `DryRun` parameter set to `True`, allowing them to test their capabilities without actually launching instances, thereby avoiding immediate detection and costs.
Establishing Persistence
To establish a foothold, the adversaries created IAM roles for autoscaling groups and AWS Lambda functions. They utilized the `CreateServiceLinkedRole` and `CreateRole` APIs to set up these roles, attaching the `AWSLambdaBasicExecutionRole` policy to the Lambda role. This setup facilitated the deployment of malicious resources within the AWS environment.
Deployment of Crypto Mining Operations
The attackers proceeded to create numerous Elastic Container Service (ECS) clusters—sometimes exceeding 50 clusters in a single attack. They registered task definitions using a malicious Docker image (`yenik65958/secret:user`) sourced from DockerHub. This image was configured to execute a shell script upon deployment, initiating cryptocurrency mining operations using the RandomVIREL algorithm.
To maximize resource utilization, the attackers created autoscaling groups configured to scale from 20 up to 999 instances, exploiting EC2 service quotas. They targeted high-performance GPU and machine learning instances, as well as compute, memory, and general-purpose instances, to optimize mining efficiency.
Evasion and Persistence Techniques
A notable aspect of this campaign is the use of the `ModifyInstanceAttribute` API with the `disableApiTermination` parameter set to `True`. This action prevents instances from being terminated via the AWS Management Console, command-line interface, or API, complicating incident response efforts. Victims are required to re-enable API termination before they can delete the affected resources, thereby prolonging the attackers’ mining operations.
Broader Implications and Related Incidents
This incident underscores a growing trend of cybercriminals exploiting compromised IAM credentials to infiltrate cloud environments. Similar tactics have been observed in other campaigns:
– EleKtra-Leak Campaign: Active since at least December 2020, this campaign targeted exposed AWS IAM credentials within public GitHub repositories to facilitate cryptojacking activities. The attackers automated the detection of exposed credentials, launching mining operations within minutes of exposure. They created multiple EC2 instances to mine Monero, demonstrating the rapid exploitation capabilities of threat actors. ([thehackernews.com](https://thehackernews.com/2023/10/elektra-leak-cryptojacking-attacks.html?utm_source=openai))
– Exploitation of Public .env Files: In August 2024, attackers exploited publicly accessible environment variable files (.env) containing credentials for cloud and social media applications. They used these credentials to breach cloud accounts, exfiltrate data, and demand ransoms. The attackers set up infrastructure within the compromised AWS environments to scan for sensitive data, affecting over 110,000 domains and collecting thousands of credentials. ([thehackernews.com](https://thehackernews.com/2024/08/attackers-exploit-public-env-files-to.html?utm_source=openai))
– Credential Stuffing Attacks: In May 2024, Okta reported a surge in credential stuffing attacks targeting its Customer Identity Cloud. Threat actors utilized previously stolen credentials to gain unauthorized access to user accounts, highlighting the persistent threat of credential-based attacks in cloud environments. ([thehackernews.com](https://thehackernews.com/2024/05/okta-warns-of-credential-stuffing.html?utm_source=openai))
Mitigation Strategies
To defend against such sophisticated attacks, organizations should implement the following measures:
1. Regular Credential Audits: Conduct periodic reviews of IAM credentials to identify and revoke unnecessary or overly permissive access rights.
2. Implement Multi-Factor Authentication (MFA): Enforce MFA for all IAM users to add an additional layer of security beyond passwords.
3. Monitor for Anomalous Activity: Utilize monitoring tools like AWS CloudTrail to detect unusual API calls, such as unexpected `RunInstances` or `CreateRole` activities.
4. Restrict IAM Permissions: Apply the principle of least privilege by granting IAM users only the permissions necessary for their roles.
5. Secure Sensitive Files: Ensure that environment variable files and other sensitive configuration files are not publicly accessible and are stored securely.
6. Educate Employees: Provide training on the risks of credential exposure and best practices for securing access keys and other sensitive information.
Conclusion
The exploitation of compromised IAM credentials for unauthorized cryptocurrency mining operations highlights the critical need for robust security practices in cloud environments. By implementing stringent access controls, continuous monitoring, and proactive security measures, organizations can mitigate the risks associated with such attacks and protect their cloud resources from unauthorized exploitation.
