- Attackers used stolen high-privilege IAM credentials to rapidly deploy large-scale cryptomining on EC2 and ECS
- They launched GPU-heavy auto-scaling groups, malicious Fargate containers, new IAM users and protected instances from shutdown
- AWS encourages strict IAM hygiene: MFA everywhere, temporary credentials, and least-privileged access
Cybercriminals are targeting Amazon Web Services (AWS) customers using Amazon EC2 and Amazon ECS with cryptojackers, experts have warned.
The cloud giant warned about the ongoing campaign in a recent report and said it has since been patched, but urged customers to be cautious because attacks like these could easily re-emerge.
In early November 2025, Amazon GuardDuty engineers discovered the attack after observing the same techniques across multiple AWS accounts. A subsequent investigation determined that the perpetrators did not exploit any known or unknown vulnerabilities in AWS itself. Instead, they relied on compromised AWS Identity and Access Management (IAM) credentials with high-level permissions to gain access. Once inside, they would use the access to deploy large-scale mining infrastructure in the cloud environment.
Strengthen your passwords
Amazon’s report says most crypto miners were up and running within minutes of initial access. The attackers moved quickly to enumerate service quotas and permissions, then launched dozens of ECS clusters and large EC2 autoscaling groups. In some cases, these were configured to grow rapidly to maximize computer usage.
The hackers approached the attack differently on ECS and EC2. On the former, they installed malicious container images hosted on Docker Hub that executed the miner on AWS Fargate.
However, on the latter, they created several launch templates and auto-scaling groups that targeted high-performance GPU instances, as well as regular compute instances.
Amazon also added the bad guys used instance termination protection to prevent compromised endpoints from being easily shut down or remediated remotely.
They also created publicly available AWS Lambda functions and additional IAM users.
Defending against these attacks is easy, Amazon suggests. All it requires – is a strong password:
“To protect against similar cryptomining attacks, AWS customers should prioritize strong identity and access management controls,” the report said. “Implement temporary credentials instead of long-term access keys, enforce multi-factor authentication (MFA) for all users, and apply least privilege to IAM principals, limiting access to only required permissions.”
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
