- Attackers used stolen high-privilege IAM credentials to rapidly deploy large-scale crypto mining on EC2 and ECS
- They launched GPU-heavy auto-scaling groups, malicious Fargate containers, new IAM users, and instances protected from shutdown.
- AWS urges strict IAM hygiene: MFA everywhere, temporary credentials, and least privileged access
Experts have warned that cybercriminals are targeting Amazon Web Services (AWS) customers using Amazon EC2 and Amazon ECS with cryptojackers.
The cloud giant warned about the ongoing campaign in a recent report, saying it has already been addressed, but urged customers to be careful because attacks like these can easily reappear.
In early November 2025, Amazon GuardDuty engineers detected the attack after observing the same techniques appearing in multiple AWS accounts. A subsequent investigation determined that the bad actors were not exploiting any known or unknown vulnerabilities in AWS. Instead, they relied on compromised AWS Identity and Access Management (IAM) credentials with high-level permissions to gain access. Once inside, they would use the access to deploy large-scale mining infrastructure in the cloud environment.
Strengthen your passwords
The Amazon report states that most crypto miners were up and running within minutes of initial access. The attackers acted quickly to enumerate service quotas and permissions and then launched dozens of ECS clusters and large EC2 auto-scaling groups. In some cases, these were configured to grow rapidly in order to maximize computing consumption.
Hackers approached the attack differently on ECS and EC2. In the first, they deployed malicious container images hosted on Docker Hub, which ran the miner on AWS Fargate.
However, in the latter, they created multiple launch templates and auto-scaling groups targeting high-performance GPU instances as well as general-purpose compute instances.
Amazon also added that the criminals used instance termination protection to prevent compromised endpoints from being easily shut down or remediated remotely.
They also created publicly accessible AWS Lambda functions and additional IAM users.
Defending against these attacks is easy, Amazon suggests. All you need is a strong password:
“To protect against similar cryptomining attacks, AWS customers should prioritize strong identity and access management controls,” the report said. “Implement temporary credentials instead of long-term access keys, enforce multi-factor authentication (MFA) for all users, and apply least privilege to IAM directors, limiting access to only required permissions.”
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
