Indonesian cybercriminals are exploiting Amazon Web Services (AWS) instances to carry out illicit crypto mining activities. The GUI-vil group has been identified as the threat actors on this exploit.
What is the threat?
GUI-vil, a financially motivated threat actor, leverages compromised accounts to launch AWS EC2 instances for malicious crypto mining purposes. Threat intelligence researchers have observed the continued use of the same version of S3 Browser (version 9.5.5, released January of 2021) for their initial attacks since as early as November 2021 and as recently as April 2023.
Their attack chains involve gaining initial access using AWS Access Keys by leveraging CVE-2021-22205 to gain Remote Code Execution (RCE) on vulnerable GitLab instances or scanning for publicly exposed credentials. A successful entry is then followed by privilege escalation and internal reconnaissance to review all available S3 buckets and services that are accessible via the AWS Management Console.
Why is it noteworthy?
GUI-vil, according to Permiso, is unlike most groups that are focused on crypto mining. When establishing persistence in a victim’s environment, GUI-vil attempts to mask themselves as legitimate users by creating usernames that match the existing naming convention. In some cases, they have been observed taking over existing user accounts and creating login profiles where none existed. This method of personalizing their attacks to match their environments helps them blend in and evade detection.
What is the exposure or risk?
As more and more businesses move their operations to the cloud, financially motivated threat actors will continually try to take advantage of vulnerable instances. GUI-vil does not target specific organizations, they will attempt to attack any organization if they can discover compromised credentials.
Additionally, cloud resources are expensive! Many times, the profits GUI-vil make from crypto mining pale in comparison to the extra expenses accrued by the victim organizations from the illicit EC2 instances.
What are the recommendations?
To prevent and protect against cloud-based threat actors, Barracuda XDR SOC recommends the following:
- Establish strong authentication mechanisms, utilize multi-factor authentication (MFA), and enforce least privilege access controls. Regularly review and update security policies and procedures.
- Conduct regular audits and assessments of cloud environments to identify and remediate misconfigurations or unknown instances.
- If using GitLab, ensure that your instance is fully up to date, with the latest security patches.
- Do not store AWS keys/credentials in publicly available resources.
For more in-depth information about the recommendations, please visit the following links:
If you have any questions, please contact our Security Operations Center.