Home Security Indonesian Cybercriminals Exploit AWS for Worthwhile Crypto Mining Operations

Indonesian Cybercriminals Exploit AWS for Worthwhile Crypto Mining Operations

by crpt os


May 22, 2023Ravie LakshmananCryptocurrency / Cloud Security

A financially motivated threat actor of Indonesian origin has been observed leveraging Amazon Web Services (AWS) Elastic Compute Cloud (EC2) instances to carry out illicit crypto mining operations.

Cloud security company’s Permiso P0 Labs, which first detected the group in November 2021, has assigned it the moniker GUI-vil (pronounced Goo-ee-vil).

“The group displays a preference for Graphical User Interface (GUI) tools, specifically S3 Browser (version 9.5.5) for their initial operations,” the company said in a report shared with The Hacker News. “Upon gaining AWS Console access, they conduct their operations directly through the web browser.”

Attack chains mounted by GUI-vil entail obtaining initial access by weaponizing AWS keys in publicly exposed source code repositories on GitHub or scanning for GitLab instances that are vulnerable to remote code execution flaws (e.g., CVE-2021-22205).

A successful ingress is followed by privilege escalation and an internal reconnaissance to review all available S3 buckets and determine the services that are accessible via the AWS web console.

AWS Crypto Mining

A notable aspect of the threat actor’s modus operandi is its attempt to blend in and persist within the victim environment by creating new users that conform to the same naming convention and ultimately meet its objectives.

“GUI-vil will also create access keys for the new identities they are creating so they can continue usage of S3 Browser with these new users,” the company explained.

UPCOMING WEBINAR

Zero Trust + Deception: Learn How to Outsmart Attackers!

Discover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!

Save My Seat!

Alternatively, the group has also been spotted creating login profiles for existing users that do not have them so as to enable access to the AWS console without raising red flags.

GUI-vil’s links to Indonesia stem from the fact that the source IP addresses associated with the activities are linked to two Autonomous System Numbers (ASNs) located in the Southeast Asian country.

“The group’s primary mission, financially driven, is to create EC2 instances to facilitate their crypto mining activities,” researchers said. “In many cases the profits they make from crypto mining are just a sliver of the expense the victim organizations have to pay for running the EC2 instances.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.





Source link

Related Articles

xxxanti beeztube.mobi hot sexy mp4 menyoujan hentaitgp.net jason voorhees hentai indian soft core chupatube.net youjzz ez2 may 8 2023 pinoycinema.org ahensya ng pamahalaan pakistani chut ki chudai pimpmovs.com www xvedio dost ke papa zztube.mobi 300mbfilms.in صور مص الزب arabporna.net نهر العطش لمن تشعر بالحرمان movierulz plz.in bustyporntube.info how to make rangoli video 穂高ゆうき simozo.net 四十路五十路 ロシアav javvideos.net 君島みお 無修正 افلام سكس في المطبخ annarivas.net فيلم سكس قديم rashmi hot videos porncorn.info audiosexstories b grade latest nesaporn.pro high school girls sex videos real life cam eroebony.info painfull porn exbii adult pics teacherporntrends.com nepali school sex