Amazon AWS 2025: Credential-Based Cryptomining Breach Hits the Cloud
Executive Summary
In late 2025, Amazon's AWS GuardDuty team uncovered a significant cryptomining campaign that exploited compromised IAM credentials to gain access to AWS Elastic Compute Cloud (EC2) and Elastic Container Service (ECS) environments. The attackers used valid credentials, rather than technical vulnerabilities, to deploy a malicious Docker Hub image carrying an SBRMiner-MULTI cryptominer. By rapidly launching large-scale EC2 and ECS tasks with high compute and memory allocations, the threat actor inflicted resource exhaustion and financial losses upon AWS customers. Attackers also enabled termination protection on compromised instances, effectively delaying incident response and extending mining profits.
This incident is emblematic of the growing sophistication and automation in cloud resource abuse, highlighting an uptick in attacks leveraging stolen credentials rather than software flaws. As cloud adoption surges and cryptomining threats evolve, organizations face urgent pressure to enhance IAM hygiene, monitoring, and automated remediation to reduce risk.
Why This Matters Now
This breach underscores the increasing threat posed by identity-driven attacks in cloud environments, as attackers exploit valid credentials to bypass traditional security controls. New persistence techniques and rapid deployment of resource-intensive workloads make timely detection, robust IAM governance, and automated response essential to prevent costly cloud exploitation.
Attack Path Analysis
The attacker initially compromised AWS accounts by using stolen IAM credentials, gaining direct access to cloud management interfaces. They enumerated account permissions and quickly escalated their privileges by creating and modifying resources, such as ECS task definitions and EC2 launch templates, to facilitate cryptomining. The adversary spread mining operations across multiple EC2 instances and ECS containers, leveraging auto-scaling groups for large-scale lateral movement. Malicious containers pulled from Docker Hub maintained persistent command and control via startup scripts, while the attacker's presence remained largely focused on resource hijacking rather than traditional data exfiltration. No major data exfiltration occurred, but outbound mining pool connections could have gone undetected. The impact manifested as significant resource consumption, financial cost, and delayed incident response due to tampering with instance termination protections.
Kill Chain Progression
Initial Compromise
Description
The attacker used stolen or compromised IAM credentials to access victim AWS accounts, bypassing native access controls and directly logging into the cloud management plane.
MITRE ATT&CK® Techniques
Valid Accounts
Data from Cloud Storage Object
Account Discovery: Cloud Account
Deploy Container
Create Account: Cloud Account
Impair Defenses: Disable or Modify Cloud Firewall
Resource Hijacking
Phishing: Spearphishing Attachment
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Unique Authentication Credentials
Control ID: 8.2.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 10
CISA Zero Trust Maturity Model 2.0 – Credential Protection and Monitoring
Control ID: Identity Pillar, Outcome B
NIS2 Directive – Incident Handling
Control ID: Article 21(2)d
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Information Technology/IT
Cloud infrastructure providers face direct cryptomining threats targeting AWS services, requiring enhanced IAM security, multicloud visibility, and threat detection capabilities.
Financial Services
Banks using AWS cloud services vulnerable to resource hijacking attacks, demanding zero trust segmentation and egress security to prevent unauthorized cryptomining operations.
Health Care / Life Sciences
Healthcare organizations on cloud platforms risk compliance violations and service disruption from cryptomining campaigns exploiting compromised IAM credentials and containerized applications.
Computer Software/Engineering
Software companies utilizing Docker containers and EC2 instances susceptible to persistence-enabled cryptomining attacks requiring enhanced Kubernetes security and anomaly detection systems.
Sources
- Amazon: Ongoing cryptomining campaign uses hacked AWS accountshttps://www.bleepingcomputer.com/news/security/amazon-ongoing-cryptomining-campaign-uses-hacked-aws-accounts/Verified
- GuardDuty Extended Threat Detection uncovers cryptomining campaign on Amazon EC2 and Amazon ECShttps://aws.amazon.com/blogs/security/cryptomining-campaign-targeting-amazon-ec2-and-amazon-ecs/Verified
- Crypto crooks co-opt stolen AWS creds to mine coinshttps://www.theregister.com/2025/12/18/crypto_crooks_use_stolen_aws/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, east-west traffic controls, egress policy enforcement, network visibility, and microsegmentation would have confined the attack, detected abnormal instance proliferation, and blocked outbound mining activity. CNSF controls aligned with least-privilege access and continuous threat monitoring would have minimized the blast radius and enabled faster remediation.
Control: Multicloud Visibility & Control
Mitigation: Anomalous account logins and management activity would be detected rapidly.
Control: Zero Trust Segmentation
Mitigation: Unnecessary access paths and privilege escalation would be blocked.
Control: East-West Traffic Security
Mitigation: Movement between workloads, regions, or environments would be limited or prevented.
Control: Egress Security & Policy Enforcement
Mitigation: Outgoing mining traffic to unauthorized domains/IPs would be detected and blocked.
Control: Cloud Firewall (ACF)
Mitigation: Data and traffic egress to unapproved destinations would be blocked.
Rapid detection of abnormal auto-scaling, resource spikes, and blocked termination actions.
Impact at a Glance
Affected Business Functions
- Cloud Infrastructure Management
- Financial Operations
Estimated downtime: 3 days
Estimated loss: $50,000
No evidence of data exposure; the primary impact was unauthorized resource consumption leading to increased operational costs.
Recommended Actions
Key Takeaways & Next Steps
- • Immediately implement Zero Trust segmentation and least-privilege policies for all IAM users and services.
- • Enforce east-west and egress traffic controls, including application-layer FQDN filtering and cloud firewalling, to block unauthorized network flows.
- • Continuously monitor cloud management activity and resource deployment for anomaly-based alerts and automated remediation triggers.
- • Regularly rotate and audit IAM credentials, and restrict use of privileged roles through granular access control and segmentation.
- • Deploy real-time threat detection and network observability to rapidly identify and contain suspicious resource or network activity across cloud environments.
