- Attackers used stolen high‑privilege IAM credentials to rapidly deploy large‑scale cryptomining on EC2 and ECS
- They launched GPU‑heavy auto‑scaling groups, malicious Fargate containers, new IAM users, and protected instances from shutdown
- AWS urges strict IAM hygiene: MFA everywhere, temporary credentials, and least‑privilege access
Cybercriminals are targeting Amazon Web Services (AWS) customers using Amazon EC2 and Amazon ECS with cryptojackers, expert have warned.
The cloud giant warned about the ongoing campaign in a recent report, saying that it has since been addressed, but urged customers to be careful because attacks like these can easily reappear.
In early November 2025, Amazon GuardDuty engineers detected the attack after observing the same techniques appearing across multiple AWS accounts. A subsequent investigation determined that the miscreants were not exploiting any known, or unknown vulnerabilities in AWS itself. Instead, they relied on compromised AWS Identity and Access Management (IAM) credentials with high-level permissions to gain access. Once inside, they would use the access to deploy large-scale mining infrastructure into the cloud environment.
Strengthen your passwords
Amazon’s report states that most crypto miners were up and running within minutes of initial access. The attackers moved quickly to enumerate service quotas and permissions, and then launched dozens of ECS clusters and large EC2 auto scaling groups. In some cases, these were configured to grow swiftly, in order to maximize compute consumption.
The hackers approached the attack differently on ECS and EC2. On the former, they deployed malicious container images hosted on Docker Hub, that executed the miner on AWS Fargate.
On the latter, however, they created multiple launch templates and auto scaling groups that targeted high-performance GPU instances, as well as general-purpose compute instances.
Amazon also added the crooks used instance termination protection to prevent compromised endpoints from being easily shut down or remedied remotely.
They also created publicly accessible AWS Lambda functions and additional IAM users, as well.
Defending against these attacks is easy, Amazon hints. All it takes – is a strong password:
“To protect against similar crypto mining attacks, AWS customers should prioritize strong identity and access management controls,” it says in the report. “Implement temporary credentials instead of long-term access keys, enforce multi-factor authentication (MFA) for all users, and apply least privilege to IAM principals limiting access to only required permissions.”
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
https://cdn.mos.cms.futurecdn.net/ABdYnex3UvLSEgFZqq9eSZ-2560-80.jpg
Source link
