Security News > 2023 > May > Indonesian Cybercriminals Exploit AWS for Profitable Crypto Mining Operations

A financially motivated threat actor of Indonesian origin has been observed leveraging Amazon Web Services Elastic Compute Cloud instances to carry out illicit crypto mining operations.
Cloud security company's Permiso P0 Labs, which first detected the group in November 2021, has assigned it the moniker GUI-vil.
"Upon gaining AWS Console access, they conduct their operations directly through the web browser."
Attack chains mounted by GUI-vil entail obtaining initial access by weaponizing AWS keys in publicly exposed source code repositories on GitHub or scanning for GitLab instances that are vulnerable to remote code execution flaws.
The group has also been spotted creating login profiles for existing users that do not have them so as to enable access to the AWS console without raising red flags.
"The group's primary mission, financially driven, is to create EC2 instances to facilitate their crypto mining activities," researchers said.
News URL
https://thehackernews.com/2023/05/indonesian-cybercriminals-exploit-aws.html
Related news
- Storm-1977 Hits Education Clouds with AzureChecker, Deploys 200+ Crypto Mining Containers (source)
- ⚡ THN Weekly Recap: Alerts on Zero-Day Exploits, AI Breaches, and Crypto Heists (source)
- Hackers Exploit AWS Misconfigurations to Launch Phishing Attacks via SES and WorkMail (source)
- Cybercriminals Exploit CSS to Evade Spam Filters and Track Email Users' Actions (source)
- Docker Malware Exploits Teneo Web3 Node to Earn Crypto via Fake Heartbeat Signals (source)
- When confusion becomes a weapon: How cybercriminals exploit economic turmoil (source)