A group of financially motivated hackers from Indonesia have been discovered using Amazon Web Services (AWS) Elastic Compute Cloud (EC2) instances for unauthorized cryptocurrency mining activities.
The cloud security firm Permiso P0 Labs, which detected the group, has named them GUI-vil (pronounced Goo-ee-vil). The hackers show a preference for Graphical User Interface (GUI) tools, specifically utilizing S3 Browser (version 9.5.5) for their initial operations. Once they gain access to the AWS Console, they continue their activities directly through a web browser.
The attack method employed by GUI-vil involves exploiting AWS keys found in publicly exposed source code repositories on GitHub or targeting vulnerable GitLab instances with remote code execution flaws (e.g., CVE-2021-22205). Once initial access is obtained, the hackers escalate privileges and conduct internal reconnaissance to identify accessible S3 buckets and services through the AWS web console.
A unique aspect of GUI-vil’s approach is their attempt to blend in and maintain persistence within the victim’s environment. They achieve this by creating new user identities that adhere to the same naming convention as existing ones, thereby avoiding suspicion. Additionally, the group creates access keys for these new users to continue using S3 Browser seamlessly.
Alternatively, GUI-vil has been observed creating login profiles for existing users without them, allowing access to the AWS console without raising alarms.
The link to Indonesia arises from the IP addresses associated with the group’s activities, which are tied to two Autonomous System Numbers (ASNs) located in the Southeast Asian country.
The primary objective of GUI-vil is financially motivated, centered around setting up EC2 instances to facilitate their crypto mining operations. However, the profits they make from mining are often minimal compared to the costs incurred by victim organizations for running the compromised EC2 instances.
The researchers at P0 Labs emphasize the importance of organizations maintaining strong security measures, such as protecting AWS keys, regularly updating source code repositories, and promptly patching known vulnerabilities. Heightened awareness and proactive defense strategies are crucial in mitigating the risks posed by threat actors like GUI-vil.
Post comments (0)