Introducing new Vectra AI Platform coverage for Copilot and Microsoft Azure

Vectra AI Japan、ITR発行の最新レポート内「NDR市場」にて国内トップシェアを獲得
詳細を見る
Hamburger icon top line
Hamburger icon middle line
Hamburger icon bottom line
Back to all detections

AWS Cryptomining

AWS Cryptomining
Overview
Possible Root Causes
Example Scenarios
Business Impact
Steps to Investigate
MITRE ATT&CK Techniques
Related Detections
FAQ

Detection overview

The AWS Cryptomining detection identifies suspicious activity where unauthorized instances are used for cryptomining on AWS infrastructure. Cryptomining activity within an AWS account generally indicates that an attacker has gained access to launch high-powered EC2 instances for computationally intensive mining tasks, often incurring high operational costs to the account owner.

Triggers

  • Using a compromised EC2 instance token, multiple high-powered EC2 instances are started.

Possible Root Causes

  • An attacker is leveraging a compromised EC2 instance and/or token to create powerful EC2 instances for use in cryptomining.
  • Internal infrastructure and applications are configured to create highly powered EC2 instances to enable compute intensive operations to occur in support of that application.

Business Impact

  • High powered EC2 instances utilized for cryptomining result in significant costs billed to the organization that owns the AWS account.

Steps to Verify

  • Investigate the source of the EC2 instances being started to determine if this resource should be creating new, high-powered, EC2 instances.
  • Investigate the newly created EC2 instances to determine their purpose and ensure they are not malicious.
  • If review indicates possible malicious actions, perform a comprehensive investigation to determine initial source of EC2 compromise, remove EC2 access and remediate compromised resources and accounts.
AWS Cryptomining

Possible root causes

Malicious Detection

Attackers may exploit compromised EC2 instances to perform cryptomining operations, leveraging the AWS account's computational resources for financial gain. Using stolen or misused credentials, attackers can deploy high-powered instances, incurring significant costs that impact the AWS account holder.

Benign Detection

Cryptomining tasks may sometimes be mistakenly launched by an authorized application configured to initiate compute-intensive operations in support of legitimate cloud processes. However, such tasks typically align with approved operational needs and do not lead to unauthorized instance launches.

AWS Cryptomining

Example scenarios

Compromised Credentials Leading to Cryptomining

An attacker gains access to an AWS environment using exposed access keys found on a public code repository. The attacker quickly spins up several high-powered EC2 instances to run cryptomining software, consuming large amounts of computational resources and significantly increasing the AWS bill. Security teams notice this through an unexpected rise in resource usage and cost alerts, prompting them to investigate and terminate the unauthorized instances.

Misconfigured IAM Permissions Allowing Unintended Instance Usage

A development team inadvertently grants excessive permissions to a service role, allowing it to launch instances at a higher power level than required. A cryptomining script is mistakenly deployed as part of an internal test, consuming extensive AWS resources. The security team detects the unusual behavior through the Vectra detection, reviews the IAM permissions, and revokes unneeded privileges to prevent similar incidents in the future.

AWS Cryptomining

Business impact

If this detection indicates a genuine threat, the organization faces significant risks:

Increased operational costs

Unauthorized cryptomining consumes high levels of computational resources, driving up unexpected AWS costs that can severely impact budgets.

Resource depletion

Cryptomining can exhaust allocated resources, affecting availability and performance for legitimate business applications running in the same environment.

Security vulnerability exposure

Unauthorized cryptomining often results from compromised credentials, exposing gaps in security controls and potentially increasing the risk of further exploitation.

AWS Cryptomining

Steps to investigate

Source Verification

Check the origin of the EC2 instances and confirm whether they are authorized to create high-powered instances.

Instance Purpose

Investigate the activities and configurations of newly launched EC2 instances to ensure they serve approved functions.

Mitigation

If unauthorized cryptomining is confirmed, disable the compromised credentials and investigate the source of access. This may include restricting EC2 permissions or setting budget alerts to catch unusual spending early.

AWS Cryptomining

MITRE ATT&CK techniques covered

Resource Hijacking

T1496
AWS Cryptomining

Related detections

No items found.

See our detections in action

Our interactive demo provides a deep dive into the advanced capabilities of our cybersecurity platform, showcasing real-time detection, comprehensive analysis, and proactive threat mitigation.

Don't just read about the possibilities – experience them.

Launch the free tour
Ask for a custom demo

FAQs

What does this detection signify?

This detection indicates potentially unauthorized cryptomining activity on AWS, likely due to compromised credentials or misconfigurations.

Could legitimate applications trigger this detection?

Legitimate applications may trigger it if they require high computational power; however, authorized tasks generally match expected usage and align with business needs.

How can I prevent cryptomining attacks?

Use least-privilege access for AWS credentials, regularly review IAM permissions, and enable cost alerts to monitor abnormal spending.

What are common signs of cryptomining in AWS?

High-powered EC2 instance launches and unexpectedly high billing are indicators, often coupled with abnormal compute and network usage.

How does cryptomining impact business costs?

It leads to unexpected, sometimes extreme costs due to the high-power consumption required by mining software.

How does Vectra AI detect cryptomining?

Vectra monitors resource-intensive activities and unusual instance launches, particularly those deviating from normal usage patterns, to identify cryptomining behaviors.

What should I do if I confirm malicious cryptomining?

Disable any compromised credentials, investigate the source, and terminate unauthorized instances to prevent further unauthorized expenses.

Can budget alerts help with early detection?

Yes, budget alerts provide an early warning when account spending exceeds typical limits, helping to quickly identify unauthorized cryptomining.

Could this affect service availability?

Yes, unauthorized instances could exhaust resource quotas, impacting the availability of legitimate services.

Are there specific logs to check for this detection?

Reviewing CloudTrail and billing logs provides insights into instance creation, credential usage, and billing spikes related to cryptomining.