Crypto crooks co-opt stolen AWS creds to mine coins

Your AWS account could be quietly running someone else's cryptominer. Cryptocurrency thieves are using stolen Amazon account credentials to mine for coins at the expense of AWS customers, abusing their Elastic Container Service (ECS) and their Elastic Compute Cloud (EC2) resources, in an ongoing operation that started on November 2.

The illicit cryptocurrency-mining campaign abuses compromised valid AWS Identity and Access Management (IAM) credentials with "admin-like privileges" - it doesn't exploit a vulnerability - and then uses this access to deploy a SBRMiner-MULTI on ECS and EC2, Amazon security engineer Kyle Koeller said in a blog this week.

"Within 10 minutes of the threat actor gaining initial access, crypto miners were operational," Koeller wrote.

Amazon's GuardDuty threat detection service spotted the cryptomining operation in a handful of customer accounts and alerted customers, we're told. 

After the crooks obtained the compromised AWS credentials, they checked EC2 service quotas to ...