Amazon has detected an ongoing campaign targeting its customers using compromised Identity and Access Management (IAM) credentials to enable cryptocurrency mining. The attackers, operating from an external hosting provider, employed new persistence techniques to evade incident response and continue unimpeded.
The multi-stage attack chain begins with leveraging compromised IAM user credentials for admin-like privileges, probing the environment for EC2 service quotas, and deploying crypto mining resources across ECS and EC2. To avoid costs and minimize forensic trail, attackers use the “DryRun” flag in the RunInstances API.
Next, they create IAM roles for autoscaling groups and AWS Lambda, attaching the “AWSLambdaBasicExecutionRole” policy to the Lambda role. The threat actor then created dozens of ECS clusters, some exceeding 50, and used a malicious DockerHub image to initiate crypto mining on ECS Fargate nodes.
The attackers also exploited EC2 service quotas by creating autoscaling groups that scale from 20 to 999 instances. To maximize resource consumption, they prevented instance termination using the “disableApiTermination” parameter, impairing incident response capabilities and disrupting automated remediation controls.
Amazon emphasized that this campaign does not constitute a vulnerability within its cloud service but rather necessitates customers already possess valid credentials. The company urged customers to enforce strong identity and access management controls, implement temporary credentials, use multi-factor authentication, apply the principle of least privilege, and monitor unusual CPU allocation requests.
Source: https://thehackernews.com/2025/12/compromised-iam-credentials-power-large.html