Security News > 2021 > August > Splunk spots malware targeting Windows Server on AWS to mine Monero

Data analysis firm Splunk says it's found a resurgence of the Crypto botnet - malware that attacks virtual servers running Windows Server inside Amazon Web Services.

Splunk's Threat Research Team posted its analysis of the attack on Monday, suggesting it starts with a probe for Windows Server instances running on AWS, and seeks out those with remote desktop protocol enabled.

Once target VMs are identified, the attackers wheel out an old favourite: brute forcing passwords.

Splunk's security team noticed that one of the Monero wallets used in this campaign was also involved in a 2018 wave of attacks using the same Crypto botnet.

Splunk's advice for those hoping to avoid the attack is simple: stay up to date with patches, use strong passwords, and enable network-level authentication.

Windows admins will also know that RDP is not on by default, for good reasons - advice for those not wanting to avoid the attack is presumably to switch on RDP, use 'Admin/Passw0rd1234' as the login credentials and let 'er rip.

News URL

https://go.theregister.com/feed/www.theregister.com/2021/08/10/crypto_botnet_targets_windows_on_aws/