AWS Cryptomining
Detection overview
The AWS Cryptomining detection identifies suspicious activity where unauthorized instances are used for cryptomining on AWS infrastructure. Cryptomining activity within an AWS account generally indicates that an attacker has gained access to launch high-powered EC2 instances for computationally intensive mining tasks, often incurring high operational costs to the account owner.
Triggers
- Using a compromised EC2 instance token, multiple high-powered EC2 instances are started.
Possible Root Causes
- An attacker is leveraging a compromised EC2 instance and/or token to create powerful EC2 instances for use in cryptomining.
- Internal infrastructure and applications are configured to create highly powered EC2 instances to enable compute intensive operations to occur in support of that application.
Business Impact
- High powered EC2 instances utilized for cryptomining result in significant costs billed to the organization that owns the AWS account.
Steps to Verify
- Investigate the source of the EC2 instances being started to determine if this resource should be creating new, high-powered, EC2 instances.
- Investigate the newly created EC2 instances to determine their purpose and ensure they are not malicious.
- If review indicates possible malicious actions, perform a comprehensive investigation to determine initial source of EC2 compromise, remove EC2 access and remediate compromised resources and accounts.
AWS Cryptomining
Possible root causes
Malicious Detection
Attackers may exploit compromised EC2 instances to perform cryptomining operations, leveraging the AWS account's computational resources for financial gain. Using stolen or misused credentials, attackers can deploy high-powered instances, incurring significant costs that impact the AWS account holder.
Benign Detection
Cryptomining tasks may sometimes be mistakenly launched by an authorized application configured to initiate compute-intensive operations in support of legitimate cloud processes. However, such tasks typically align with approved operational needs and do not lead to unauthorized instance launches.
AWS Cryptomining
Example scenarios
Compromised Credentials Leading to Cryptomining
An attacker gains access to an AWS environment using exposed access keys found on a public code repository. The attacker quickly spins up several high-powered EC2 instances to run cryptomining software, consuming large amounts of computational resources and significantly increasing the AWS bill. Security teams notice this through an unexpected rise in resource usage and cost alerts, prompting them to investigate and terminate the unauthorized instances.
Misconfigured IAM Permissions Allowing Unintended Instance Usage
A development team inadvertently grants excessive permissions to a service role, allowing it to launch instances at a higher power level than required. A cryptomining script is mistakenly deployed as part of an internal test, consuming extensive AWS resources. The security team detects the unusual behavior through the Vectra detection, reviews the IAM permissions, and revokes unneeded privileges to prevent similar incidents in the future.
AWS Cryptomining
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
Increased operational costs
Unauthorized cryptomining consumes high levels of computational resources, driving up unexpected AWS costs that can severely impact budgets.
Resource depletion
Cryptomining can exhaust allocated resources, affecting availability and performance for legitimate business applications running in the same environment.
Security vulnerability exposure
Unauthorized cryptomining often results from compromised credentials, exposing gaps in security controls and potentially increasing the risk of further exploitation.
AWS Cryptomining
Steps to investigate
Source Verification
Check the origin of the EC2 instances and confirm whether they are authorized to create high-powered instances.
Instance Purpose
Investigate the activities and configurations of newly launched EC2 instances to ensure they serve approved functions.
Mitigation
If unauthorized cryptomining is confirmed, disable the compromised credentials and investigate the source of access. This may include restricting EC2 permissions or setting budget alerts to catch unusual spending early.
AWS Cryptomining
Related detections
No items found.
FAQs
What does this detection signify?
This detection indicates potentially unauthorized cryptomining activity on AWS, likely due to compromised credentials or misconfigurations.
How does Vectra AI detect cryptomining?
Vectra monitors resource-intensive activities and unusual instance launches, particularly those deviating from normal usage patterns, to identify cryptomining behaviors.
Could legitimate applications trigger this detection?
Legitimate applications may trigger it if they require high computational power; however, authorized tasks generally match expected usage and align with business needs.
What should I do if I confirm malicious cryptomining?
Disable any compromised credentials, investigate the source, and terminate unauthorized instances to prevent further unauthorized expenses.
How can I prevent cryptomining attacks?
Use least-privilege access for AWS credentials, regularly review IAM permissions, and enable cost alerts to monitor abnormal spending.
Can budget alerts help with early detection?
Yes, budget alerts provide an early warning when account spending exceeds typical limits, helping to quickly identify unauthorized cryptomining.
What are common signs of cryptomining in AWS?
High-powered EC2 instance launches and unexpectedly high billing are indicators, often coupled with abnormal compute and network usage.
Could this affect service availability?
Yes, unauthorized instances could exhaust resource quotas, impacting the availability of legitimate services.
How does cryptomining impact business costs?
It leads to unexpected, sometimes extreme costs due to the high-power consumption required by mining software.
Are there specific logs to check for this detection?
Reviewing CloudTrail and billing logs provides insights into instance creation, credential usage, and billing spikes related to cryptomining.