Major IAM Cryptomining Hack Targeting AWS in December: AWS's Response and Prevention Measures

The post details a cryptomining campaign targeting AWS in December, where attackers used compromised IAM credentials with excessive permissions. The threat actors exploited permissions such as ec2:RunInstances, ecs:RunTask, or iam:* to launch EC2 instances or ECS tasks and mine cryptocurrency rapidly. AWS acknowledged the attack in a blog post, noting that tools like GuardDuty detect the activity after the fact but do not prevent it. The main issue highlighted is the proliferation of IAM identities with overly broad permissions to create resources or modify permissions.