Executive Summary
In November 2025, Amazon Web Services (AWS) became the target of a widespread cryptomining campaign exploiting compromised Identity and Access Management (IAM) credentials. The attackers used stolen keys to access AWS accounts, deploy cryptomining operations, and leverage persistence mechanisms to avoid detection and maintain access. Amazon’s GuardDuty threat detection tools were instrumental in uncovering the activity, which leveraged novel Tactics, Techniques, and Procedures (TTPs) including lateral movement and privilege escalation, putting customer cloud resources and budgets at risk through accelerated resource consumption and possible data exposure.
This incident is emblematic of an escalating trend where threat actors exploit cloud identity weaknesses for financial gain. It underscores the urgent necessity for robust multi-factor authentication, real-time anomaly detection, and comprehensive cloud security strategies as identity-driven attacks proliferate in the cloud era.
Why This Matters Now
Cloud environments are increasingly targeted by attackers leveraging compromised credentials, as seen in this campaign. With the continued growth in cloud adoption, IAM credential security remains a critical concern, and organizations risk major financial and operational disruption if identity-driven threats are not rapidly detected and remediated.
Attack Path Analysis
Attackers gained access to AWS environments by using compromised IAM credentials, establishing an initial foothold via credential abuse. With these credentials, they potentially escalated privileges to gain broader or more persistent access within cloud resources. Lateral movement followed, as adversaries spread across regions or workloads to deploy and sustain cryptomining operations. Attacker infrastructure communicated with external command servers to receive instructions and report mined currency. Although exfiltration of sensitive data was not central, control and outbound flows enabled continued monetization. The final impact was the sustained consumption of cloud resources for unauthorized cryptomining, driving financial loss and operational disruption.
Kill Chain Progression
Initial Compromise
Description
The attacker obtained and abused stolen AWS IAM credentials to gain access to the targeted AWS environment.
MITRE ATT&CK® Techniques
Valid Accounts
Modify Authentication Process: Cloud Accounts
User Execution
Native API
Account Manipulation
Impair Defenses: Disable or Modify Cloud Firewall
Resource Hijacking
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Secure Authentication Processes
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Cybersecurity Program
Control ID: 500.02
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Article 9
CISA Zero Trust Maturity Model (ZTMM) 2.0 – Identity Verification and Access Controls
Control ID: Identity Pillar: Credential and Access Management
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Information Technology/IT
AWS cryptomining attacks exploit compromised IAM credentials, requiring enhanced zero trust segmentation, egress security, and multicloud visibility controls for infrastructure protection.
Financial Services
Cryptocurrency mining campaigns threaten financial infrastructure through IAM compromise, demanding strengthened threat detection, anomaly response, and encrypted traffic capabilities for compliance.
Health Care / Life Sciences
AWS credential theft enables cryptomining attacks against healthcare cloud systems, necessitating HIPAA-compliant east-west traffic security and kubernetes security implementations.
Computer Software/Engineering
Software development environments face IAM-based cryptomining threats, requiring cloud native security fabric and inline IPS protection for development infrastructure security.
Sources
- Compromised IAM Credentials Power a Large AWS Crypto Mining Campaignhttps://thehackernews.com/2025/12/compromised-iam-credentials-power-large.htmlVerified
- GuardDuty Extended Threat Detection uncovers cryptomining campaign on Amazon EC2 and Amazon ECShttps://aws.amazon.com/blogs/security/cryptomining-campaign-targeting-amazon-ec2-and-amazon-ecs/Verified
- Crypto crooks co-opt stolen AWS creds to mine coinshttps://www.theregister.com/2025/12/18/crypto_crooks_use_stolen_aws/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Applying CNSF controls such as zero trust segmentation, egress policy enforcement, east-west traffic security, cloud firewalling, threat detection, and centralized visibility would have greatly reduced the ability for adversaries to use compromised credentials, move laterally, and operate cryptomining workloads undetected. These mechanisms disrupt lateral spread, restrict external communications, and surface anomalies for rapid response.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: Early detection of unauthorized access attempts using inline enforcement and visibility.
Control: Zero Trust Segmentation
Mitigation: Constrains privilege escalation by enforcing least privilege access boundaries.
Control: East-West Traffic Security
Mitigation: Prevents unauthorized internal traffic flows and lateral attacks.
Control: Egress Security & Policy Enforcement
Mitigation: Blocks or alerts on unauthorized outbound traffic to external endpoints.
Control: Cloud Firewall (ACF)
Mitigation: Detects and prevents external data exfiltration via cloud perimeter controls.
Rapid detection and containment of abnormal cloud resource usage.
Impact at a Glance
Affected Business Functions
- Cloud Infrastructure Management
- Financial Operations
Estimated downtime: 3 days
Estimated loss: $50,000
No direct data exposure reported; however, unauthorized access to AWS resources could potentially lead to data breaches if not promptly addressed.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce zero trust segmentation and least privilege IAM roles to contain blast radius of credential compromise.
- • Implement centralized egress filtering and policy enforcement to disrupt cryptominer command-and-control traffic.
- • Deploy east-west traffic segmentation to prevent lateral movement between cloud workloads and regions.
- • Enable comprehensive threat detection and baselining to surface anomalous resource usage indicative of cryptomining campaigns.
- • Regularly review and audit IAM credential exposure and rotate sensitive access keys to reduce the window of exploitation.
