A cybersecurity firm has unearthed a monero mining script embedded in a public instance of an Amazon Web Service (AWS) virtual machine. Now the firm is raising the question: How many other community Amazon Machine Instances (AMIs) are infected with the same malware?
Researchers at Mitiga revealed in a blog post Friday an AWS AMI for a Windows 2008 virtual server hosted by an unverified vendor is infected with a Monero mining script. The malware would have infected any device running the AMI with the purpose of using the deviceâs processing power to mine the privacy coin monero in the background â a malware attack that has become all too common in cryptoâs digital wild west.
âMitigaâs security research team has identified an AWS Community AMI containing malicious code running an unidentified crypto (Monero) miner. We have concerns this may be a phenomenon, rather than an isolated occurrence,â the blog post reads.
Businesses and other entities use Amazon Web Services to spin up what are called âEC2â instances of popular programs and services. Also known as virtual machines, these EC2s are developed by third parties and are deployed under the Amazon Machine Instance framework, and businesses leverage these services to lower the costs of compute power for their business operations. AWS users can source these services from Amazon Marketplace AMIs, which are Amazon-verified vendors, or Community AMIs, which are unverified.Â
Read more: BlackBerry and Intel Tackle Cryptojacking Malware With New Detection Tool
Mitiga discovered this monero script in a Community AMI for a Windows 2008 Server while conducting a security audit for a financial services company. In its analysis, Mititga concluded that the AMI was created with the sole purpose of infecting devices with the mining malware, as the script was included in the AMIâs code from day one.
Outside of the financial services company that hired Mitiga to review the AMI, the cybersecurity firm is unaware of how many other entities and devices may be infected with the malware.Â
âAs to how Amazon allows this to happen, well, this is the biggest question that arises from this discovery, but itâs a question that should also be directed to AWSâs (sic) Comms team,â the team told CoinDesk over email.
CoinDesk reached out to Amazon Web Services to learn more about its approach to handling unverified AMI publishers but a representative declined to comment. Amazon Web Serviceâs documentation includes the caveat that users choose to use Community AMIs âat [their] own riskâ and that Amazon âcanât vouch for the integrity or security of [these] AMIs.â
Mitigaâs principal concern is that this malware could be one of several bugs worming around in unverified AMIs. The fact that Amazon does not provide transparent data regarding AWS use exacerbates this worry, the firm told CoinDesk.
âAs AWS customer usage is obfuscated, we canât know how far and wide this phenomenon stretches without AWSâs own investigation. We do however believe that the potential risk is high enough to issue a security advisory to all AWS customers using Community AMIs.â
Read more: North Korea Is Expanding Its Monero Mining Operations, Says ReportÂ
Mitiga recommends that any entity running a community AMI should terminate it immediately and search for a replacement from a trusted vendor. At the very least, businesses that rely on AWS should painstakingly review the code before integrating unverified AMIs into their business logic.Â
Mining malware could actually be the most innocuous form of infection a business may experience, the firm continued in the post. The worst-case scenario includes an AMI installing a backdoor on a businessâ computer or ransomware that would encrypt the companyâs files with the aim of extorting it for money to regain access.
The attack is the latest in a trend of so-called âcrypto-jackingâ attacks. Monero is the coin of choice among attackers thanks to its mining algorithm, which can be run easily using a computerâs CPU and GPU. When attackers infect enough computers and pool their resources, the collective hashpower is enough to merit a pretty payday.
If Mitigaâs fears are true, other AMIs may have infected user devices with monero mining scripts and gone unnoticed.
