Crypto crooks co-opt stolen AWS creds to mine coins

Steven

Crypto crooks co-opt stolen AWS creds to mine coins

Summary

Attackers have been using stolen AWS Identity and Access Management (IAM) credentials with admin-like privileges to run illicit cryptocurrency miners on customer EC2 and ECS resources since 2 November. Rather than exploiting a vulnerability, the criminals abused valid credentials to deploy SBRMiner-MULTI, and were able to have miners running within ten minutes of gaining access, according to an Amazon security blog.

The threat actors check EC2 quotas, use RunInstances with DryRun to test permissions, spin up dozens of ECS clusters and auto scaling groups to maximise compute, and set disable API termination to true on instances to frustrate takedown attempts. They also deploy an unauthenticated Lambda function exposed via a public Function URL to retain persistence. AWS GuardDuty detected the activity in several accounts and alerted customers.

Key Points

  • Campaign began on 2 November and abuses compromised IAM credentials rather than a code flaw.
  • Attackers deploy SBRMiner-MULTI on EC2 and ECS; miners were operational within 10 minutes of access.
  • They probe service quotas and use RunInstances with DryRun to validate privileges without incurring charges.
  • Operators create dozens of ECS clusters and leverage auto scaling groups to maximise resource use and cost impact.
  • Persistence techniques include setting disable API termination on instances and publishing an unauthenticated public Lambda Function URL.
  • AWS GuardDuty spotted the campaign and alerted affected customers.
  • AWS recommends strong IAM controls: use temporary credentials, enforce MFA, and apply least privilege.

Why should I read this?

If you run anything on AWS, this is worth five minutes of your time. Crooks are turning stolen creds into ongoing bills and headaches fast — they check quotas, test permissions silently, and lock down instances so you can’t just nuke them. Read this so you can spot the tell-tale signs and lock down your IAM before someone turns your cloud into their crypto farm.

Author’s take

Punchy and plain: this is a reminder that identity is the perimeter. The technique set here — quick validation with DryRun, mass cluster creation, disable-termination and an unauthenticated Lambda URL — shows attackers are automating for speed and persistence. Treat long-lived keys like radioactive waste: rotate, restrict and MFA everything.

Source

Source: https://go.theregister.com/feed/www.theregister.com/2025/12/18/crypto_crooks_use_stolen_aws/