Full Report
An ongoing campaign has been observed targeting Amazon Web Services (AWS) customers using compromised Identity and Access Management (IAM) credentials to enable cryptocurrency mining. The activity, first detected by Amazon's GuardDuty managed threat detection service and its automated security monitoring systems on November 2, 2025, employs never-before-seen persistence techniques to hamper
Analysis Summary
# Incident Report: AWS Crypto Mining Campaign via Compromised IAM Credentials
## Executive Summary
An observed campaign targeted Amazon Web Services (AWS) customers using previously compromised Identity and Access Management (IAM) credentials to deploy large-scale, unauthorized cryptocurrency mining operations across EC2 and ECS. The activity was characterized by the novel use of the `ModifyInstanceAttribute` action to prevent instance termination, significantly complicating remediation. Detection occurred on November 2, 2025, and the attacker achieved operational mining within 10 minutes of initial access.
## Incident Details
- Discovery Date: November 2, 2025
- Incident Date: Commenced on or before November 2, 2025
- Affected Organization: Undisclosed AWS Customers
- Sector: Cloud Services / Technology
- Geography: AWS Environment (Global Scope implied)
## Timeline of Events
### Initial Access
- Date/Time: Within 10 minutes of initial access (i.e., very rapidly after compromise).
- Vector: Compromised IAM User Credentials (admin-like privileges).
- Details: Attackers used existing, potentially over-privileged IAM credentials to begin probing the environment.
### Lateral Movement
- Details: Attackers leveraged discovered IAM permissions to create necessary Service Linked Roles (`CreateServiceLinkedRole`, `CreateRole`) for autoscaling groups and AWS Lambda, enabling subsequent deployment across ECS and EC2 environments.
### Data Exfiltration/Impact
- Impact: Unauthorized utilization of victim's AWS compute resources (EC2/ECS Fargate) for cryptocurrency mining, leading to potentially high consumption costs for the victims.
### Detection & Response
- Detection: Amazon's GuardDuty managed threat detection service and automated security monitoring systems detected the activity.
- Response Actions: Unknown specific response actions are detailed, but eradication would require identifying and removing malicious roles, tasks, clusters, and disabling persistence mechanisms.
## Attack Methodology
- Initial Access: Leveraging compromised IAM user credentials possessing admin-like privileges.
- Persistence: Novel use of `ModifyInstanceAttribute` with `disableApiTermination="True"` to prevent victims or automated controls from easily terminating the malicious EC2 instances. They also established infrastructure via new IAM roles and autoscaling groups.
- Privilege Escalation: Not explicitly detailed as necessary, as initial access provided admin-like privileges sufficient for resource creation and modification.
- Defense Evasion: Preventing termination via API protection to maximize resource utilization duration.
- Credential Access: Based on the premise, credentials were pre-compromised (method unknown).
- Discovery: Invoked `RunInstances API` with the "DryRun" flag set to enumerate resources and test permissions against EC2 service quotas.
- Lateral Movement: Creation of dozens of ECS clusters (up to 50 in some cases) and creation of autoscaling groups configured for aggressive scaling (20 to 999 instances).
- Collection: N/A (Focused on resource consumption, not data theft).
- Exfiltration: N/A (Focused on resource consumption/mining output).
- Impact: Resource exhaustion and financial cost via crypto mining operations targeting high-performance GPU/ML instances, compute, memory, and general-purpose instances.
## Impact Assessment
- Financial: High potential cost to victims due to sustained, large-scale use of EC2/ECS resources, particularly high-cost GPU instances.
- Data Breach: Not the primary goal; the impact was resource abuse, not data exfiltration.
- Operational: Disruption in security operations due to instance termination protection hindering automated and manual remediation efforts.
- Reputational: Potential reputational damage for affected organizations due to security compromise and billing shock.
## Indicators of Compromise
- Behavioral Indicators: Rapid invocation of `RunInstances API` (DryRun), `CreateServiceLinkedRole`, `CreateRole`, `RegisterTaskDefinition`, and `ModifyInstanceAttribute` (specifically setting `disableApiTermination` to True).
- File Indicators: Use of malicious DockerHub image `yenik65958/secret:user` running a shell script that executes the **RandomVIREL** mining algorithm.
- Network Indicators: Communications associated with the **RandomVIREL** mining pool (details not provided).
## Response Actions
- Containment: Identifying and removing malicious ECS clusters and scaling groups. Crucially, victims must identify instances protected by `disableApiTermination="True"` and explicitly re-enable API termination before deletion.
- Eradication: Removing newly created rogue IAM roles and policies. Disabling or removing the compromised IAM credentials used for initial access.
- Recovery: Auditing all environment activities post-compromise and ensuring robust IAM least privilege policies are enforced, especially concerning resource creation and instance attribute modification.
## Lessons Learned
- The campaign successfully weaponized the `ModifyInstanceAttribute` API call to effectively stall incident response and automated remediation by locking instances against termination.
- Attackers move extremely fast in cloud environments, achieving operational mining within 10 minutes of initial access, highlighting the need for immediate detection on initial reconnaissance steps (like DryRun calls).
- Over-privileged IAM credentials remain a primary attack vector in the cloud.
## Recommendations
- Implement strong preventative guardrails in AWS IAM Policy to deny the use of `ec2:ModifyInstanceAttribute` for sensitive attributes like `disableApiTermination` from non-secured roles or principals.
- Review and enforce least privilege for all IAM users/roles, minimizing rights to perform discovery reconnaissance actions that precede large-scale resource deployment (e.g., limiting `ec2:RunInstances` DryRun capability broadly).
- Ensure automated response mechanisms (e.g., Lambda functions triggered by GuardDuty) are capable of overriding instance termination protection settings or immediately focusing on role and credential revocation upon detecting suspicious resource provisioning.