Customers of Amazon Web Services (AWS) have been the target of an ongoing campaign that uses compromised Identity and Access Management (IAM) credentials to facilitate cryptocurrency mining. The unknown adversary essentially starts the multi-stage attack chain by using compromised IAM user credentials with admin-like privileges. The threat actor is reported to have established dozens of ECS clusters throughout the environment in the activity that has been seen thus far, sometimes more than 50 ECS clusters in a single attack.

The DockerHub image, which has since been removed, is set up to start cryptocurrency mining using the RandomVIREL mining algorithm by executing a shell script as soon as it is deployed. Security researcher Harsha Koushik presented a proof-of-concept (PoC) in April 2024 that explained how the action could be misused to seize control of the entire AWS account, take over instances, and steal instance credentials. To protect against the threat, Amazon advises AWS users to take the actions listed below.

"The threat actor's scripted use of multiple compute services, in combination with emerging persistence techniques, represents a significant advancement in crypto mining attack methodologies," Amazon said. The company stated in a blog post on Monday that the campaign does not take advantage of any security flaws in AWS. The article was revised after it was published to highlight that the campaign doesn't take advantage of any AWS security flaws.

Additionally, it was updated to highlight that the threat actor's scripted Use of Multiple Compute Services (UCS) was not a UCS vulnerability but rather a script. Additionally, the UCS campaign was scripted as opposed to a vulnerability in UCS, according to the blog post from Amazon. Additionally, the blog post was revised to clarify that UCS was not a security flaw but rather a threat actor's script.