AWS EC2 exploited in new cryptomining attacks

Amazon Web Services Elastic Computer Cloud implementations have been targeted by financially motivated Indonesian threat operation GUI-vil to facilitate cryptomining activities, The Hacker News reports. Initial access is achieved by GUI-vil by exploiting publicly exposed AWS keys or identifying GitLab instances that could be compromised with remote code execution bugs, with GUI-vil then proceeding to escalate privileges and conduct reconnaissance efforts while creating new users to conceal malicious activity, according to a report by Permiso's P0 Labs. Aside from establishing access keys for newly created identities in an effort to continue S3 Browser utilization, GUI-vil has also been developing login profiles for current users in a bid to avoid detection. "The group's primary mission, financially driven, is to create EC2 instances to facilitate their crypto mining activities. In many cases the profits they make from crypto mining are just a sliver of the expense the victim organizations have to pay for running the EC2 instances," said researchers.