Updated cryptojacking worm steals AWS credentials

2020-08-18 11:56

A malicious cryptocurrency miner and DDoS worm that has been targeting Docker systems for months now also steals Amazon Web Services credentials.

The worm still scans for open Docker APIs, then spins up Docker images and install itself in a new container, but it now also searches for exploitable Kubernetes systems and files containing AWS credentials and configuration details - just in case the compromised systems run on the AWS infrastructure.

Are the attackers using the stolen credentials or are they selling them? The researchers tried to find out by sending "Canary" AWS keys to TeamTNT's servers, but they haven't been used yet.

Identify systems that are storing AWS credential files and delete them if they aren't needed.

Review any connections sending the AWS Credentials file over HTTP..

News URL

http://feedproxy.google.com/~r/HelpNetSecurity/~3/2SIdar--uBA/

#AWS #credential #cryptojacking #worm