• Tue. Apr 16th, 2024

Cybercriminals Exploit Amazon Cloud Services for Illegal Cryptocurrency Mining: Indonesian Hackers GUI-vil Behind the Scheme

Avatar photo

ByMarcel Bich

Aug 7, 2023
Cybercriminals Exploit Amazon Cloud for Mining
Marcel Bich
Latest posts by Marcel Bich (see all)

A group of Indonesian cyberterrorists were found unlawfully mining cryptocurrencies on Amazon Web Services’ Elastic Compute Cloud (EC2), according to cloud computing company Permiso P0 Labs. The organization has been given the codename GUI-vil by experts.

GUI-vil Group’s Modus Operandi Revealed

Elastic Compute Cloud (EC2), a web service offered by Amazon Web Services (AWS), is a cloud computing platform that offers scalable processing capability. You can host as many virtual servers as you need with Amazon EC2, set up security and network connectivity, and control storage. With Amazon EC2, you may modify capacity in response to fluctuating demand or peak popularity.

The organization favors using graphical user interfaces, especially S3 Browser (version 9.5.5) for its early activities. “Their actions are carried out immediately through a web browser once they have gained access to the AWS Console,” the business claimed in the study.

AWS keys released in open source repositories on GitHub or scanning vulnerable GitLab instances that permit remote code execution (such as CVE-2021-22205) are two ways that GUI-vil attackers get early access in their attack strategy.

Hackers do internal reconnaissance after a successful intrusion to determine the services that are accessible to them through the AWS web dashboard. They then elevate their rights.

Unveiling GUI-vil’s Intricate Approach

One standout aspect of the faction’s behavior is its attempt to pass as the victim’s surroundings by making new users who adhere to the utilized name convention, which does not arouse suspicion at first glance.

“In order to continue utilizing S3 Browser with these additional users, GUI-vil also generates access keys,” according to P0 Labs researchers.

The origin IP addresses linked to GUI-vil’s operations are from two independent systems situated in Southeast Asia, which serves as the foundation for their association with Indonesia.

According to the researchers, the primary goal of the profit-driven group is to set up EC2 instances that will make Bitcoin mining easier. The revenues they get from mining cryptocurrencies are frequently only a small portion of the expenses incurred by the victim businesses to host EC2 instances.

 
Avatar photo

Marcel Bich

Marcel ‘s passion for the world of cryptocurrencies and his comprehensive knowledge of blockchain technology make him an invaluable asset to our team. He stays updated on the latest trends, regulations, and emerging technologies in the crypto space, ensuring that our audience receives accurate and up-to-date information.