**AWS Customers Targeted in Large-Scale Cryptocurrency Mining Campaign**
A new cryptocurrency mining campaign is exploiting compromised AWS Identity and Access Management (IAM) credentials to hijack cloud environments for illicit profit. First detected by Amazon’s GuardDuty service on November 2, 2025, the attack leverages stolen IAM credentials to covertly deploy mining operations within AWS accounts, turning customer resources into cryptocurrency farms.
The campaign employs novel persistence techniques, making detection and removal difficult. Attackers bypass standard security measures, embedding themselves within AWS infrastructure and requiring thorough remediation efforts to fully eradicate. The incident highlights vulnerabilities in cloud security, particularly around IAM credential management, as compromised access keys grant attackers unfettered control over AWS resources.
GuardDuty’s automated threat detection played a key role in identifying the malicious activity, flagging unusual patterns indicative of unauthorized mining. AWS has urged customers to rotate IAM credentials immediately, enforce multifactor authentication (MFA), and monitor accounts for suspicious configurations. The attack underscores the growing sophistication of cloud-based threats and the need for proactive security measures, including regular audits and automated monitoring, to counter evolving risks in cloud environments.
Amazon Web Services (AWS) cybersecurity rating report: https://www.rankiteo.com/company/amazon-web-services
"id": "AMA1765965358",
"linkid": "amazon-web-services",
"type": "Cyber Attack",
"date": "11/2025",
"severity": "50",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'customers_affected': 'Multiple AWS accounts',
'industry': 'Various (cross-industry)',
'location': 'Global',
'name': 'Amazon Web Services (AWS) customers',
'size': 'Unknown',
'type': 'Cloud service users'}],
'attack_vector': 'Compromised IAM credentials',
'customer_advisories': 'AWS customers should rotate IAM credentials, enable '
'MFA, and monitor accounts for unusual activity.',
'date_detected': '2025-11-02',
'description': 'A cryptocurrency mining campaign exploits compromised AWS '
'Identity and Access Management (IAM) credentials to hijack '
'AWS environments for unauthorized cryptocurrency mining. The '
'campaign employs novel persistence techniques, making '
'detection and remediation challenging. Amazon GuardDuty first '
'identified the threat on November 2, 2025, highlighting '
'vulnerabilities in cloud security and the critical need for '
'robust IAM protocols.',
'impact': {'brand_reputation_impact': 'Potential reputational damage for AWS '
'and affected customers',
'financial_loss': 'Potential resource costs from unauthorized AWS '
'usage',
'operational_impact': 'Degraded AWS performance, potential '
'disruption of legitimate services',
'systems_affected': 'AWS environments, IAM configurations'},
'initial_access_broker': {'entry_point': 'Compromised IAM credentials'},
'investigation_status': 'Ongoing',
'lessons_learned': 'Critical need for strong IAM protocols, regular security '
'audits, and automated threat detection systems like '
'GuardDuty to mitigate cloud-based threats.',
'motivation': 'Financial gain through unauthorized cryptocurrency mining',
'post_incident_analysis': {'corrective_actions': 'Strengthen IAM policies, '
'implement MFA, enhance '
'monitoring with GuardDuty, '
'conduct security audits',
'root_causes': 'Weak IAM credential security, lack '
'of MFA, insufficient monitoring of '
'AWS environments'},
'recommendations': ['Rotate IAM credentials immediately to prevent '
'unauthorized access',
'Enable multifactor authentication (MFA) for all AWS '
'accounts',
'Monitor AWS accounts for unusual activity or '
'configurations',
'Engage with AWS support or security teams for incident '
'response guidance',
'Conduct regular security audits and reviews of AWS '
'environments'],
'references': [{'source': 'Amazon GuardDuty Threat Detection'}],
'response': {'containment_measures': 'Immediate rotation of IAM credentials, '
'monitoring for unusual activity',
'enhanced_monitoring': 'Amazon GuardDuty for threat detection',
'remediation_measures': 'Implementation of multifactor '
'authentication (MFA), security audits, '
'engagement with AWS support'},
'stakeholder_advisories': 'AWS users advised to review security '
'configurations and conduct regular audits to '
'detect and address unauthorized activities.',
'title': 'Cryptocurrency Mining Campaign Targeting AWS Customers via '
'Compromised IAM Credentials',
'type': 'Cryptocurrency Mining',
'vulnerability_exploited': 'Weak IAM credential security, lack of multifactor '
'authentication (MFA)'}