Digital currency mining worm targets AWS credentials: researchers

Getting your Trinity Audio player ready...

Cybersecurity researchers have uncovered a new digital currency mining worm which specifically targets Amazon Web Services (AWS) credentials, in what is believed to be a first of its kind threat.

In a new report, cybersecurity firm Cado Security described the attack as “unsophisticated,” having only raised $300 according to blockchain data.

However, the report highlighted the unusual functionality, specifically targeting AWS credentials, which could inspire a new generation of hackers intent on using stolen resources for block reward mining.

Cado Security said this reflects a broader trend of hackers moving towards attacking cloud and container environments, as more companies and other organizations move to cloud based services.

Known as TeamTNT, the hacking group recycled code from another worm, Kinsing, which has been used to attack Alibaba Cloud Security tools. According to the report, this technique could now see future hackers copying TeamTNT code, which would mean the prevalence of AWS facing attacks will likely increase over time.

As has become common for mining attacks of this type, the TeamTNT worm uses XMRig to mine for Monero. By harvesting cloud resources from victims, the hackers were intent on powering their mining operation from hacked resources, allowing them to profit from Monero mining on a mass scale.

Research into the MoneroOcean mining pool revealed 119 compromised systems that had been successfully attacked by the hack so far.

The mining attacks can be described as a form of cryptojacking, one of the fastest growing forms of online cybercrime. Cryptojacking attacks effectively steal processing power from unsuspecting victims, which the hackers use to run crypto mining scripts to their own benefit.

As a result, these types of hacks often fly under the radar of detection, especially in organizations without the technical expertise to understand the nature of threat.