Attention AWS customers: You might be running a malicious crypto miner

Mitiga, an Israeli cybersecurity company, advises all Amazon Web Services customers running certain types of programs to make sure they are not infected by a malicious Monero cryptominer.

In a advice today, Migita said that anyone running EC2 instances based on Community AMIs (Amazon Machine Images) is vulnerable to attacks by the cryptominer.

Amazon Machine Images are virtual machines within Amazon’s cloud service, AWS. With AWS, people can rent computing power from Amazon, which owns warehouses full of very powerful computers. EC2 allows AWS customers to share AMIs publicly with other users.

A cryptominer running on AWS would suck up all the computational resources a customer has rented from Amazon. The customer would of course fit the bill. And since they would mine Monero, a privacy coin, it would be difficult to track down the criminal hacker.

Mitiga came across the active cryptominer while reviewing the AWS setup of a client, a financial institution.

The cryptominer was put in an AWS virtual machine that contained “Microsoft Windows – Server 2008”. That server came out about a year after the release of Windows Vista, the unpopular buggy version of Microsoft’s operating system.

The hacker then published this infected AMI on the AWS marketplace. The hackers “designed it to carry out some form of financial fraud: Bill AWS customer accounts for computing [sic], while on the other hand crypto is being extracted, ”wrote Mitiga.

“Embracing community code in mission-critical environments carries significant risk,” said Ofer Maor, co-founder and CTO of Mitiga. “This is yet another example of the risks of today’s cloud marketplaces, which provide easy-to-use solutions while introducing the risks of embedding insecure or malicious code and binaries, often from unknown sources.”

Since anyone can use it, Mitiga thinks it’s worth the “rather dramatic advisory warning being issued.” Thus, “With great caution, companies using Community AMIs are recommended [sic] to verify, terminate, or search AMIs from trusted sources for their EC2 instances. “