In brief

  • An Israeli software company has discovered a Monero miner on Amazon Web Services.
  • They found the malware while checking the software systems of a financial institution.
  • The firm advises checking AWS instances for malware.

Editor's note: This article was updated to show that the hacker made the malicious file available as a shared file, and that it was not available through AWS Marketplace.

Mitiga, an Israeli cybersecurity firm, is advising all customers of Amazon Web Services running certain types of programs to check that they haven’t been infected by a malicious Monero crypto miner.

In an advisory note today, Migita said that anyone running EC2 instances based on Community AMIs (Amazon Machine Images) are vulnerable to attack by the crypto miner.

Amazon Machine Images are virtual machines within Amazon’s cloud service, AWS. AWS lets people rent computational power from Amazon, which owns warehouses full of very powerful computers. EC2 allows AWS customers to publicly share AMIs with other users.

A crypto miner running on AWS would suck up all of the computational resources that a customer has rented from Amazon. The customer, of course, would fit the bill. And because they’d be mining Monero, a privacy coin, it’d be difficult to trace the criminal hacker. 

Mitiga stumbled upon the active crypto miner during an assessment of the AWS set-up of a customer, a financial institution. 

The crypto miner was stuffed into an AWS virtual machine running “Microsoft Windows – Server 2008.” That server came out about a year after the release of Windows Vista, the unpopular, buggy version of Microsoft’s operating system. 

The hacker then made it available as a shared AMI, which are community-created AMIs that other developers may use. The hackers “designed it to execute a form of financial fraud: Bill AWS customer accounts for compute [sic], while extracting crypto on the other end,” wrote Mitiga. 

“Embracing community-sourced code within business-critical environments introduces significant risk,” said Mitiga Co-Founder & CTO, Ofer Maor. “This is yet another example of the risks posed by today’s cloud marketplaces, offering easy to use solutions, while introducing risks of embedding insecure or malicious code and binaries, oftentimes from unknown sources.”

Since anyone can use it, Mitiga thinks that it’s worth the “rather dramatic advisory warning being issued.” So, “out of an abundance of caution, companies utilizing Community AMIs are recommend [sic] to verify, terminate, or seek AMIs from trusted sources for their EC2 instances.”