We spotted a new #AWS coin mining attack this weekend. Here's some of the interesting observations 🔎🔎🔎

📍Attacker had root access
📍Spun up 10 c5.4xlarge EC2s
📍Brought their own SSH keys 👀
📍Bot framework written in Golang

More tidbits 👇

It's entirely possible that the root access key was scraped and passed off to the bot to spin up miners right before this was detected, but didn't see any CLI, console or other interactive activity fortunately.

Attacker definitely wasn't worried about setting off any sort of billing/performance alarms given the size of these EC2s 😬

This was the first time we saw an attacker bring their own SSH key pairs that were uniquely named. Usually we see these generated in the bot automation run.

The coin miner was likely installed via SSH remote access (as a part of the bot). We didn't have local EC2 visibility to confirm, but ingress rule was created in the bot automation to allow SSH from interwebs.

This was also the first time we'd observed a bot written in the AWS Golang SDK. This is interesting because as defenders, it's easy to suppress out alerts based UAs, particularly SDKs we don't expect to be used in attacks. Also, because python 🐍

This was particularly nifty from a detection standpoint because we saw the SSH key pair imports from suspicious IPs (custom detection) followed by a bunch of AWS GuardDuty coinminer alerts (cont.)

We usually expect coin miners in AWS to be the result of some web app compromise rather than a AWS control plane compromise, so getting both API alerts and EC2 alerts is correlating them is cool.

While this was just a coin miner, it was still root key exposure. Could have been pretty gnarly.

tl;dr - Protect your AWS secrets!