According to a report this week by Cado Security, a UK-based cybersecurity organization, hackers are stealing Amazon Web Services (AWS) credentials from its users, in order to deploy a new crypto-jacking botnet. At the time of this article, the attack is still active.
The firm declared this instance to be the first one where hackers are targeting Amazon tools to steal web credentials so that they can do crypto mining. According to the security firm, 119 systems have been hijacked till now.
This bot is not so old and quite recent in fact. It has been active since April, which means that the attackers have only recently started this hijacking. It has been deployed by a cybercrime group called “Team TNT.”
Hackers tap into the users’ Amazon accounts through exposed files. These files have configuration details for the underlying AWS account and this enables the attackers to get hold of them. This way they sweep into Amazon’s powerful resources to mine Monero.
The botnet infects the system’s “Docker” so that the attackers can scan the exposed credentials, upload them on a server and get full authority. Finally, they install a Monero mining bot and get their mining done. The attackers are basically using the resources of Amazon to get their crypto-jacking done.
Hackers could profit from the situation
Cado Security has noted that though the attacker has not yet used many of the stolen credentials but this does not mean that it will not. Once the attackers deploy the attack, Team TNT will be there to boost its profit and this can be done either by “installing crypto-mining malware in more powerful AWS clusters directly or by selling the stolen credentials on the black market”.