Security News > 2020 > August > AWS Cryptojacking Worm Spreads Through the Cloud
A cryptomining worm from the group known as TeamTNT is spreading through the Amazon Web Services cloud and collecting credentials.
Attacking AWS. The attack starts with targeting the way that AWS stores credentials in an unencrypted file at ~/.aws/credentials, and additional configuration details in a file at ~/.aws/config.
"The code to steal AWS credentials is relatively straightforward - on execution it uploads the default AWS credentials and config files to the attackers' server, sayhi.bplace[.]net," researchers explained.
"Curl is used to send the AWS credentials to TeamTNT's server."
Cado researchers suggested that to thwart such attacks, businesses should identify which systems are storing AWS credential files and delete them if they aren't needed.