Indonesian Cybercriminals Exploit AWS for Profitable Crypto Mining Operations
Financially motivated Indonesian threat actors have been observed leveraging Amazon Web Services (AWS) Elastic Compute Cloud (EC2) instances to conduct illegal crypto mining operations.
Cloud security firm Permiso P0 Labs, which first detected the group in November 2021, has assigned it the moniker GUI will (pronounced Goo-ee-vil).
“The group displayed a preference for Graphical User Interface (GUI) tools, specifically the S3 Browser (version 9.5.5) for their initial operations,” the company said in a report shared with The Hacker News. “Once they gain access to the AWS Console, they perform their operations directly through the web browser.”
Attack chains installed by GUI-vils require early access by arming AWS keys in the publicly open source code repository on GitHub or scanning GitLab instances that are vulnerable to remote code execution weaknesses (e.g., CVE-2021-22205).
A successful ingress is followed by privilege escalation and internal snooping to review all available S3 buckets and determine accessible services through the AWS web console.
An important aspect of a threat actor’s modus operandi is their attempt to blend in and survive in the victim’s environment by creating new users that conform to the same naming conventions and ultimately serve their purpose.
“GUI-vils will also generate an access key for the new identity they create so they can continue to use it S3 Browser with these new users,” the company explains.
Zero Trust + Deception: Learn How to Outsmart Attackers!
Discover how Fraud can detect advanced threats, stop lateral moves, and improve your Zero Trust strategy. Join our insightful webinar!
Alternatively, the group has also been sighted create login profile for legacy users who don’t have it allowing access to the AWS console without raising any red flags.
The GUI-vil link to Indonesia stems from the fact that the source IP address associated with the activity is associated with two Autonomous System Numbers (ASNs) located in the Southeast Asian country.
“The main mission of the group, driven financially, is to create EC2 instances to facilitate their crypto mining activities,” said the researchers. “In many cases, the profit they earn from crypto mining is only a fraction of what the victim organization pays to run an EC2 instance.”
