AWS Exploited for Crypto Mining Operation
Introduction
Enterprotect is issuing a threat advisory regarding the exploitation of Amazon Web Services (AWS) instances for illicit crypto mining activities. Indonesian cybercriminals belonging to the GUI-vil group have been identified as the threat actors behind this exploit. In this advisory, we will provide an overview of the threat, discuss why it is noteworthy, highlight the exposure or risk it poses, and provide recommendations to protect against such attacks.
What is the Threat?
The GUI-vil group, a financially motivated threat actor, utilizes compromised accounts to launch AWS EC2 instances for malicious crypto mining purposes. Researchers have observed that the group has been using the same version of S3 Browser (version 9.5.5, released in January 2021) for their initial attacks since November 2021 and as recently as April 2023. The attack chain involves gaining initial access using AWS Access Keys, leveraging CVE-2021-22205 to achieve Remote Code Execution (RCE) on vulnerable GitLab instances, or scanning for publicly exposed credentials. Once they gain entry, they proceed with privilege escalation and internal reconnaissance to identify all available S3 buckets and services accessible via the AWS Management Console.
Why is it Noteworthy?
GUI-vil distinguishes itself from other crypto mining groups through its method of establishing persistence in a victim's environment. They create usernames that match the existing naming convention to mask themselves as legitimate users. In some cases, they even take over existing user accounts and create login profiles where none existed previously. By personalizing their attacks to match the environment, GUI-vil increases its chances of blending in and evading detection.
What is the Exposure or Risk?
As more businesses migrate their operations to the cloud, financially motivated threat actors like GUI-vil will continue to exploit vulnerable instances. GUI-vil does not specifically target organizations but rather attempts to attack any organization where compromised credentials can be discovered. Additionally, the exploitation of cloud resources can lead to significant financial losses for victim organizations. The profits made by GUI-vil through crypto mining activities often pale in comparison to the extra expenses incurred by the victims due to the presence of illicit EC2 instances.
What are the Recommendations?
Enterprotect recommends the following measures to prevent and protect against cloud-based threat actors:
Establish Strong Authentication Mechanisms: Implement strong authentication mechanisms, such as multi-factor authentication (MFA), to add an extra layer of security. Enforce least privilege access controls to restrict user permissions to the minimum necessary level. Regularly review and update security policies and procedures to maintain a robust security posture.
Conduct Regular Audits and Assessments: Perform regular audits and assessments of your cloud environments to identify and remediate misconfigurations or unknown instances. This proactive approach helps in identifying potential vulnerabilities and addressing them promptly.
Keep GitLab Up to Date: If you use GitLab, ensure that your instance is fully up to date with the latest security patches. Keeping your software up to date helps protect against known vulnerabilities that threat actors may exploit.
Protect AWS Keys/Credentials: Avoid storing AWS keys or credentials in publicly available resources. Instead, store them securely using appropriate key management solutions. This mitigates the risk of unauthorized access and potential misuse of sensitive credentials.
Implement Security Monitoring and Incident Response: Deploy a comprehensive security monitoring solution like Enterprotect 360 to detect and respond to potential threats in real-time.
References
For more in-depth information about the recommendations provided in this advisory, please refer to the following resources: