Full Report
Over the July 4th holiday weekend Expel’s SOC spotted a coin-mining attack in a customer’s Amazon Web Services (AWS) environment. The attacker compromised the root IAM user access key and used it to enumerate the environment and spin up ten (10) c5.4xlarge EC2s to mine Monero....
Analysis Summary
# Incident Report: AWS Cryptomining Resource Hijacking
## Executive Summary
During the July 4th holiday weekend, Expel's Security Operations Center (SOC) detected a cryptomining campaign targeting a customer's Amazon Web Services (AWS) environment. The attacker successfully compromised the **root IAM user access key**, which was then used to enumerate the environment and provision ten high-resource EC2 instances (c5.4xlarge) for Monero mining, resulting in unexpected cloud usage costs.
## Incident Details
- Discovery Date: July 4th holiday weekend (Specific date not provided)
- Incident Date: Occurred over the July 4th holiday weekend (Specific date not provided)
- Affected Organization: Customer of Expel (Not publicly disclosed)
- Sector: Unknown (Assumed Technology/Cloud User)
- Geography: Unknown (Implied US due to holiday)
## Timeline of Events
### Initial Access
- Date/Time: Unknown (Occurred prior to discovery over the holiday weekend)
- Vector: Compromised AWS IAM Root User Access Key
- Details: The attacker gained the credentials for the highest privileged account in the AWS environment.
### Lateral Movement
- Details: After gaining access, the attacker enumerated the environment to identify resources suitable for cryptocurrency mining.
### Data Exfiltration/Impact
- Impact: Resource hijacking for unauthorized use (Monero cryptocurrency mining). Attacker launched ten (10) `c5.4xlarge` EC2 instances.
### Detection & Response
- Detection: Detected by Expel’s SOC.
- Response Actions: Details on specific fixes are not provided, but the incident was reported as "Alert-to-fix."
## Attack Methodology
*(Based on limited context, many fields remain inferred or TBD)*
- Initial Access: Credential compromise of the AWS **Root IAM User Access Key**.
- Persistence: Not specified, but typically involves creating secondary access keys or roles.
- Privilege Escalation: Not required, as access was gained directly via the **Root User**, which holds all necessary permissions by default.
- Defense Evasion: Not specified.
- Credential Access: Not specified (Likely phishing, key leak, or exposed secrets).
- Discovery: Enumeration of the AWS environment using the root credentials.
- Lateral Movement: Environment enumeration, followed by deployment of mining infrastructure.
- Collection: N/A
- Exfiltration: N/A (The impact was resource consumption, not data theft).
- Impact: Resource hijacking/Cryptojacking.
## Impact Assessment
- Financial: High potential for unexpected cloud billing charges due to running ten (10) large EC2 instances (`c5.4xlarge`).
- Data Breach: No evidence of data exfiltration was mentioned.
- Operational: Potential disruption if the root credentials were used to modify critical infrastructure, though the primary impact was resource misuse.
- Reputational: Low, as the incident was handled internally by the SOC.
## Indicators of Compromise
- Network Indicators: N/A (Mining pool communication domains/IPs were not detailed)
- File Indicators: N/A
- Behavioral Indicators:
- Creation of ten (10) `c5.4xlarge` EC2 instances.
- API calls associated with heavy compute resource allocation and potential Monero mining software installation.
## Response Actions
- Containment: Implied immediate termination of the provisioned EC2 instances.
- Eradication: Revocation and rotation of the compromised Root IAM User Access Key.
- Recovery: Securing the AWS environment with appropriate policies.
## Lessons Learned
- **Root User Security:** Relying on the root user for daily operations or retaining active access keys for the root account is a critical security failure. The root user should almost never have active programmatic access keys.
- **Alerting:** Expel’s SOC demonstrated effective monitoring that detected unauthorized, high-cost resource creation in a timely manner.
## Recommendations
- **Root Account Policy:** Immediately disable access keys associated with the AWS root user. Access to the root account should be strictly limited to an emergency break-glass scenario, accessed only via MFA-protected console login.
- **IAM Best Practices:** Implement the principle of least privilege. Restrict the ability to launch high-cost resources for standard administrative users/roles.
- **Billing Alarms:** Configure robust AWS Cost and Usage Reports (CUR) and Billing Alarms to trigger alerts immediately upon unusual spikes in compute usage.