Coordinated crypto mining hits EC2 and ECS via compromised IAM
Crypto Miners Hit AWS EC2 & ECS Hard
AWS GuardDuty just exposed a live, coordinated cryptomining campaign running since November 2. Here's what went down:
The Attack Chain:
Threat actors used compromised IAM credentials with admin-like privileges. They checked EC2 quotas, tested permissions with DryRun flags (sneaky), then deployed miners across both EC2 and ECS Fargate.
Within 10 minutes of gaining access, crypto miners were already operational. They created 50+ ECS clusters, 14 auto scaling groups targeting GPU and ML instances (g4dn, g5, p3, p4d), and scaled up to 999 instances per group.
The Persistence Hack:
Here's the kicker—attackers used ModifyInstanceAttribute to disable API termination on every instance. This forces your incident response team to manually re-enable termination before deleting anything. Clever. Disruptive. Intentional.
The Indicators:
Watch for Docker Hub image yenik65958/secret (taken down but clones exist), Boto3 SDK patterns in CloudTrail, domains pointing to asia[.]rplant[.]xyz, eu[.]rplant[.]xyz, na[.]rplant[.]xyz, and auto scaling group names like SPOT-us-east-1-G*-* or OD-us-east-1-G*-*.
What GuardDuty Caught:
Extended Threat Detection correlated signals across EC2 and ECS to flag AttackSequence:EC2/CompromisedInstanceGroup findings. Runtime Monitoring picked up malicious process execution. Threat intel nailed the crypto domains.
How to Defend:
Use temporary credentials instead of long-term access keys. Enforce MFA everywhere. Apply least privilege to IAM roles. Enable GuardDuty Runtime Monitoring across all accounts and regions. Monitor CloudTrail for DryRun API calls—that's an early warning sign. Set up service control policies (SCPs) to block public Lambda URLs with AuthType set to NONE. Integrate GuardDuty with EventBridge for automated remediation.
The Real Lesson:
This wasn't a vulnerability in AWS. It was compromised credentials used exactly as designed, just for the wrong purpose. Your IAM hygiene matters. A lot.