Cryptocurrency mining malware was found on the Amazon Web Services Marketplace in the form of a Windows 2008 virtual server AMI.
The malware was found by Mitiga, an incident readiness and response company. The firm was examining the marketplace’s security on behalf of a financial institution.
Monero mining malware
In a blog post discussing the malware, Mitiga notes, “Mitiga’s security research team has identified an AWS Community AMI [Amazon Machine Instance] containing malicious code running an unidentified Monero crypto miner. We have concerns this may be a phenomenon, rather than an isolated occurrence.”
While this particular piece of malware was designed to mine Monero, Mitiga says it could have also been used for other nefarious means. The cybersecurity company says it could have been used to plant ransomware with a delayed trigger, and it could have also been used to plant a backdoor that could access the entire EC2 infrastructure of the victim’s Amazon Web Services account.
Mitiga notes, “We advise AWS customers running EC2 instances based on Community AMIs to either verify them, terminate them, or replace them with ones provided by an AWS trusted vendor.”
Use trusted sources
Mitiga stresses that users exercise caution as the crypto mining malware was not the result of an exploit or misconfiguration. It was actually in existence on the EC2 instance from the initial setup.
Amazon has itself issued warnings to users about using trusted sources. The company has stated, “Amazon can’t vouch for the integrity or security of AMIs shared by other Amazon EC2 users. Therefore, you should treat shared AMIs as you would any foreign code that you might consider deploying in your own data center and perform the appropriate due diligence. We recommend that you get an AMI from a trusted source.”
As for the malware found in the Amazon Web Services Marketplace, Mitiga concludes, “The ease of making malicious AMIs available for public use, in our opinion, warrants the rather dramatic advisory warning we are issuing.”