Executive Summary
In early 2024, threat actors exploited stolen Amazon Web Services (AWS) Identity and Access Management (IAM) credentials to launch an extensive cryptomining campaign. Attackers gained unauthorized access to multiple customer environments, leveraging compromised IAM keys to provision and operate Amazon EC2 instances at scale. This unauthorized infrastructure was then used to mine cryptocurrency, resulting in significant financial losses, increased resource utilization, and additional operational overhead for affected organizations. The incident exposed critical gaps in cloud credential management and highlighted the attackers’ agility in abusing cloud-native services for illicit profit.
This attack underscores a growing trend where cybercriminals are rapidly pivoting to cloud environments, exploiting mismanaged or stolen credentials. As more businesses migrate workloads to multi-cloud platforms, identity-driven threats and cryptojacking incidents are rising, urging organizations to reexamine their cloud security postures and access controls.
Why This Matters Now
With the prevalence of cloud adoption, attackers are prioritizing credential theft to rapidly monetize compromised platforms through cryptomining. This incident exemplifies rising urgency to address identity security, detect abnormal resource usage, and implement least privilege across cloud environments before exploitation can occur.
Attack Path Analysis
Attackers initially accessed AWS environments using stolen IAM credentials, gaining remote entry. They then escalated privileges by abusing available permissions to access further resources. Next, the adversaries moved laterally across EC2 instances and potentially into other AWS regions. Establishing foothold, the attackers set up remote control channels for persistent access and script execution. Data egress was limited but could involve unmonitored use of EC2 infrastructure. Ultimately, the attackers deployed cryptomining workloads, consuming compute resources for financial gain.
Kill Chain Progression
Initial Compromise
Description
Attackers obtained and used stolen AWS IAM credentials to log into targeted accounts and access cloud resources.
Related CVEs
CVE-2025-51591
CVSS 7.5Pandoc versions prior to 2.14.2 allow remote attackers to perform Server-Side Request Forgery (SSRF) via crafted HTML documents containing <iframe> elements, potentially leading to unauthorized access to internal resources such as AWS Instance Metadata Service (IMDS).
Affected Products:
Pandoc Pandoc – < 2.14.2
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Techniques represent credential abuse, cloud resource compromise, and cryptomining; full enrichment available via STIX/TAXII in future.
Valid Accounts
Modify Authentication Process: Web Portal
Multifactor Authentication Interception
Native API
Acquire Infrastructure: Cloud Accounts
Resource Hijacking
Stage Capabilities: Upload Malware
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Secure Authentication for Access to CDE
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
NIS2 Directive – Access Control Policies
Control ID: Art. 21(2)(c)
CISA ZTMM 2.0 – Continuous Authentication and Monitoring
Control ID: Identity Pillar – Continuous Monitoring
DORA (EU Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Art. 9
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
AWS credential theft enables cryptomining attacks compromising cloud infrastructure, violating PCI compliance requirements and exposing sensitive financial data through lateral movement.
Health Care / Life Sciences
Stolen IAM credentials facilitate unauthorized EC2 access for cryptomining operations, breaching HIPAA encryption standards and compromising patient data protection mechanisms.
Information Technology/IT
Cryptomining campaigns using compromised AWS credentials directly target IT infrastructure, exploiting multi-cloud environments and overwhelming security monitoring capabilities across client systems.
Government Administration
AWS IAM credential compromise enables cryptomining attacks on government cloud resources, violating NIST compliance frameworks and exposing critical infrastructure to threat actors.
Sources
- Attackers Use Stolen AWS Credentials in Cryptomining Campaignhttps://www.darkreading.com/cloud-security/attackers-use-stolen-aws-credentials-cryptominingVerified
- GuardDuty Extended Threat Detection uncovers cryptomining campaign on Amazon EC2 and Amazon ECShttps://aws.amazon.com/blogs/security/cryptomining-campaign-targeting-amazon-ec2-and-amazon-ecs/Verified
- AWS systems targeted by crypto mining scam using hijacked IAM credentialshttps://www.techradar.com/pro/security/aws-systems-targeted-by-crypto-mining-scam-using-hijacked-iam-credentialsVerified
- Hackers Exploit Pandoc CVE-2025-51591 to Target AWS IMDS and Steal EC2 IAM Credentialshttps://thehackernews.com/2025/09/hackers-exploit-pandoc-cve-2025-51591.htmlVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, workload-to-workload controls, and egress policy enforcement would have limited unauthorized movement and blocked malicious payloads from being established or communicating out of the AWS environment. Centralized visibility, threat detection, and granular policy would have hindered both the spread and operational persistence of the cryptomining campaign.
Control: Multicloud Visibility & Control
Mitigation: Improved detection of unusual login/access patterns via centralized observability.
Control: Zero Trust Segmentation
Mitigation: Isolation of workload roles to block automatic privilege expansion between identities.
Control: East-West Traffic Security
Mitigation: Lateral movements are blocked by granular inter-workload traffic policies.
Control: Egress Security & Policy Enforcement
Mitigation: Outbound connections to unauthorized mining pools or C2 servers are detected and blocked.
Control: Cloud Firewall (ACF)
Mitigation: Unusual or unapproved outbound data flows are identified and halted.
Rapid detection and response to unauthorized resource-consuming activity.
Impact at a Glance
Affected Business Functions
- Cloud Infrastructure Management
- Financial Operations
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of AWS IAM credentials leading to unauthorized access and control over cloud resources.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce granular least-privilege access and zero trust segmentation to reduce attack surface from compromised identities.
- • Implement east-west microsegmentation to prevent lateral movement across workloads and environments.
- • Apply robust egress filtering and DNS/FQDN controls to block unauthorized C2 and cryptomining destinations.
- • Centralize cloud activity monitoring to enhance detection of anomalous logins, role abuse, and resource usage patterns.
- • Automate incident response using real-time threat detection and distributed policy to disrupt cryptomining and similar attacks early.
