Facebook Twitter Instagram
    • Privacy Policy
    • Contact Us
    Facebook Twitter Instagram Pinterest Vimeo
    AI Home SecurityAI Home Security
    • Home
    • Home Security
    • Cyber Security
    • Biometric Technology
    Contact
    AI Home SecurityAI Home Security
    Cyber Security

    Indonesian Cybercriminals Exploit AWS for Profitable Crypto Mining Operations

    justmattgBy justmattgMay 22, 2023No Comments2 Mins Read

    [ad_1]

    May 22, 2023Ravie LakshmananCryptocurrency / Cloud Security

    Crypto Mining

    A financially motivated threat actor of Indonesian origin has been observed leveraging Amazon Web Services (AWS) Elastic Compute Cloud (EC2) instances to carry out illicit crypto mining operations.

    Cloud security company’s Permiso P0 Labs, which first detected the group in November 2021, has assigned it the moniker GUI-vil (pronounced Goo-ee-vil).

    “The group displays a preference for Graphical User Interface (GUI) tools, specifically S3 Browser (version 9.5.5) for their initial operations,” the company said in a report shared with The Hacker News. “Upon gaining AWS Console access, they conduct their operations directly through the web browser.”

    Attack chains mounted by GUI-vil entail obtaining initial access by weaponizing AWS keys in publicly exposed source code repositories on GitHub or scanning for GitLab instances that are vulnerable to remote code execution flaws (e.g., CVE-2021-22205).

    A successful ingress is followed by privilege escalation and an internal reconnaissance to review all available S3 buckets and determine the services that are accessible via the AWS web console.

    AWS Crypto Mining

    A notable aspect of the threat actor’s modus operandi is its attempt to blend in and persist within the victim environment by creating new users that conform to the same naming convention and ultimately meet its objectives.

    “GUI-vil will also create access keys for the new identities they are creating so they can continue usage of S3 Browser with these new users,” the company explained.

    UPCOMING WEBINAR

    Zero Trust + Deception: Learn How to Outsmart Attackers!

    Discover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!

    Save My Seat!

    Alternatively, the group has also been spotted creating login profiles for existing users that do not have them so as to enable access to the AWS console without raising red flags.

    GUI-vil’s links to Indonesia stem from the fact that the source IP addresses associated with the activities are linked to two Autonomous System Numbers (ASNs) located in the Southeast Asian country.

    “The group’s primary mission, financially driven, is to create EC2 instances to facilitate their crypto mining activities,” researchers said. “In many cases the profits they make from crypto mining are just a sliver of the expense the victim organizations have to pay for running the EC2 instances.”

    Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.



    [ad_2]

    Source link

    Previous ArticleTrojan-Rigged Phishing Attacks Pepper China-Taiwan Conflict
    Next Article Improving Cybersecurity Requires Building Better Public-Private Cooperation
    justmattg
    • Website

    Related Posts

    Cyber Security

    Name That Toon: Last Line of Defense

    April 16, 2024
    Cyber Security

    OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt

    April 16, 2024
    Cyber Security

    Middle East Cyber Ops Intensify, With Israel the Main Target

    April 16, 2024
    Add A Comment

    Leave A Reply Cancel Reply

    Facebook Twitter Instagram Pinterest
    • Privacy Policy
    • Contact Us
    AI Home Security © 2025 All rights reserved | Designed By ESmartsSolution

    Type above and press Enter to search. Press Esc to cancel.

    ↑