Crypto mining malware found on Amazon Web Services

Cryptocurrency mining malware was found on the Amazon Web Services Marketplace in the form of a Windows 2008 virtual server AMI.

The malware was found by Mitiga, an incident readiness and response company. The firm was examining the marketplace’s security on behalf of a financial institution.

Monero mining malware

In a blog post discussing the malware, Mitiga notes, “Mitiga’s security research team has identified an AWS Community AMI [Amazon Machine Instance] containing malicious code running an unidentified Monero crypto miner. We have concerns this may be a phenomenon, rather than an isolated occurrence.”

While this particular piece of malware was designed to mine Monero, Mitiga says it could have also been used for other nefarious means. The cybersecurity company says it could have been used to plant ransomware with a delayed trigger, and it could have also been used to plant a backdoor that could access the entire EC2 infrastructure of the victim’s Amazon Web Services account.

Mitiga notes, “We advise AWS customers running EC2 instances based on Community AMIs to either verify them, terminate them, or replace them with ones provided by an AWS trusted vendor.”

Crypto mining malware found on Amazon Web Services


Use trusted sources

Mitiga stresses that users exercise caution as the crypto mining malware was not the result of an exploit or misconfiguration. It was actually in existence on the EC2 instance from the initial setup.

Amazon has itself issued warnings to users about using trusted sources. The company has stated, “Amazon can’t vouch for the integrity or security of AMIs shared by other Amazon EC2 users. Therefore, you should treat shared AMIs as you would any foreign code that you might consider deploying in your own data center and perform the appropriate due diligence. We recommend that you get an AMI from a trusted source.”

As for the malware found in the Amazon Web Services Marketplace, Mitiga concludes, “The ease of making malicious AMIs available for public use, in our opinion, warrants the rather dramatic advisory warning we are issuing.”

Images courtesy of husjur02/Shutterstock, Tony Webster/Flickr

Micky is a news site and does not provide trading, investing, or other financial advice. By using this website, you affirm that you have read and agree to abide by our Terms and Conditions.
Micky readers - you can get a 10% discount on trading fees on FTX and Binance when you sign up using the links above.