Researchers Detect Crypto-Mining Worm to Steal AWS Credentials

Cybersecurity researchers have detected what they believe to be the first ever stealth crypto mining campaign to steal Amazon Web Services (AWS) credentials.

The mining campaign was described as being relatively unsophisticated by Cado Security in their report on Aug. 17. In total, it seems so far to have only resulted in the attackers — who operate under the name TeamTNT — pocketing a paltry $300 in illicit profits.

What struck the researchers’ attention was the crypto-mining worm’s specific functionality for stealing AWS credentials. 

Cado Security understands this as part of a wider trend, showing that hackers and attackers are adapting fast to the rising number of organizations that are migrating their computing resources to cloud and container environments.

Hacking the AWS credentials is relatively simple, the report indicates. TeamTNT’s campaign has moreover recycled some of its code from another worm dubbed “Kinsing,” which is designed to suspend Alibaba Cloud Security tools. 

Based on these recycling patterns, the Cado report notes that researchers now expect to see future crypto-mining worms copying and pasting TeamTNT’s code to hack AWS credentials in future.

As is frequently the case with stealth crypto mining campaigns TeamTNT’s worm deploys the XMRig mining tool to mine Monero (XMR) for the attackers’ profit.

Cado Security investigated MoneroOcean, one of the mining pools used by the attackers, and used it to compile a list of 119 compromised systems successfully targeted by the worm.

Stealth cryptocurrency mining attacks are alternately referred to as cryptojacking — an industry term for the practice of using a computer’s processing power to mine for cryptocurrencies without the owner’s consent or knowledge.

This March, Singapore-based unicorn startup Acronis published the results of its latest cybersecurity survey, which revealed that 86% of IT professionals professed concern about the risks posed to their organizations by these attacks.

Source