Discoveries revealed an Indonesian threat actor driven by financial motives is exploiting Amazon Web Services (AWS) Elastic Compute Cloud (EC2) instances to engage in unauthorized cryptocurrency mining operations.
Permiso P0 Labs, a cloud security company that initially identified the group in November 2021, has named them GUI-vil (pronounced Goo-ee-vil).
According to a report, the group love using Graphical User Interface (GUI) tools, particularly S3 Browser (version 9.5.5), for their initial activities. Once they access the AWS Console, they do their operations directly through a web browser.
The attack process employed by GUI-vil involves obtaining initial access by exploiting AWS keys found in publicly exposed source code repositories on platforms like GitHub or targeting vulnerable GitLab instances susceptible to remote code execution vulnerabilities (e.g., CVE-2021-22205).
Upon successful infiltration, the threat actor escalates privileges and conducts internal reconnaissance to identify all accessible S3 buckets and services available through the AWS web console.
A notable aspect of GUI-vil’s modus operandi is its attempt to blend in and persist within the victim’s environment. They achieve this by creating new user identities that adhere to the same naming convention and fulfil their objectives. Additionally, GUI-vil generates access keys for these new identities, allowing them to continue using S3 Browser with the newly created users. Alternatively, they create login profiles for existing users without arousing suspicion, enabling seamless access to the AWS console.
The association of GUI-vil with Indonesia revealed that the source IP addresses linked to their activities belong to two Autonomous System Numbers (ASNs) located in the Southeast Asian country.
Researchers noted that the group’s primary mission is finance, focused on setting up EC2 instances to facilitate their cryptocurrency mining endeavours. However, the profits they derive from such mining operations typically pale compared to the expenses incurred by the victim organizations responsible for running the EC2 instances
 Elastic Compute Cloud (EC2) instances to engage in unauthorized cryptocurrency mining operations.){kind=link}