• Sat. Aug 19th, 2023

Cybercriminals Exploit Amazon Cloud Services for Illegal Cryptocurrency Mining: Indonesian Hackers GUI-vil Behind the Scheme

Aug 4, 2023
Amazon Cloud Exploited: Indonesian Hackers
Marcel Bich

A group of Indonesian cyberterrorists were found unlawfully mining cryptocurrencies on Amazon Web Services’ Elastic Compute Cloud (EC2), according to cloud computing company Permiso P0 Labs. The organization has been given the codename GUI-vil by experts.

GUI-vil Group’s Modus Operandi Revealed

Elastic Compute Cloud (EC2), a web service offered by Amazon Web Services (AWS), is a cloud computing platform that offers scalable processing capability. You can host as many virtual servers as you need with Amazon EC2, set up security and network connectivity, and control storage. With Amazon EC2, you may modify capacity in response to fluctuating demand or peak popularity.

The organization favors using graphical user interfaces, especially S3 Browser (version 9.5.5) for its early activities. “Their actions are carried out immediately through a web browser once they have gained access to the AWS Console,” the business claimed in the study.

AWS keys released in open source repositories on GitHub or scanning vulnerable GitLab instances that permit remote code execution (such as CVE-2021-22205) are two ways that GUI-vil attackers get early access in their attack strategy.

Hackers do internal reconnaissance after a successful intrusion to determine the services that are accessible to them through the AWS web dashboard. They then elevate their rights.

Unveiling GUI-vil’s Intricate Approach

One standout aspect of the faction’s behavior is its attempt to pass as the victim’s surroundings by making new users who adhere to the utilized name convention, which does not arouse suspicion at first glance.

“In order to continue utilizing S3 Browser with these additional users, GUI-vil also generates access keys,” according to P0 Labs researchers.

The origin IP addresses linked to GUI-vil’s operations are from two independent systems situated in Southeast Asia, which serves as the foundation for their association with Indonesia.

According to the researchers, the primary goal of the profit-driven group is to set up EC2 instances that will make Bitcoin mining easier. The revenues they get from mining cryptocurrencies are frequently only a small portion of the expenses incurred by the victim businesses to host EC2 instances.