A financially motivated attacker from Indonesia was observed utilizing Amazon Web Services (AWS) Elastic Compute Cloud (EC2) instances to perform illicit cryptocurrency mining operations.
Permiso P0 Labs, a cloud security company that first detected this group in November 2021, has assigned the group the following nicknames: GUI is (Pronounced gooeyville).
“This group prefers graphical user interface (GUI) tools for initial operations, especially the S3 browser (version 9.5.5),” the company said in a report shared with The Hacker News. “Once you have access to the AWS console, you perform operations directly through your web browser.”
Attack chains mounted by GUI-vil either weaponize AWS keys in source code repositories published on GitHub or GitLab vulnerable to remote code execution flaws (such as CVE-2021-22205). Initial access should be obtained by scanning the instance.
A successful ingress will perform privilege escalation and internal reconnaissance to review all available S3 buckets and identify services that can be accessed via the AWS web console.
A striking feature of the threat actor’s modus operandi is its attempt to blend in and persist within the victim’s environment by creating new users that adhere to the same naming convention and ultimately achieve their goals. is.
“GUI-vil will also create access keys for the new identities it is creating, which will allow these new users to continue using the S3 browser,” the company explained.
Zero Trust + Deception: Learn How to Outsmart Attackers!
See how Deception can detect advanced threats, stop lateral movement, and strengthen your Zero Trust strategy. Join us for an insightful webinar!
Reserve your seat!
Alternatively, this group has also been witnessed creating login profiles for existing users who do not have one in order to be able to access the AWS console without raising red flags.
GUI-vil’s association with Indonesia stems from the fact that the source IP addresses associated with this activity are linked to two Autonomous System Numbers (ASNs) located in a Southeast Asian country.
“The group’s primary mission is to be financially driven and to create EC2 instances to facilitate cryptocurrency mining activities,” the researchers said. “In many cases, the profit from cryptocurrency mining is only a fraction of what the victim organization has to pay to run his EC2 instance.”
