A threat actor called p0-LUCR-1, aka GUI-vil (Goo-ee-vil), has been observed targeting Amazon Web Services (AWS) Elastic Compute Cloud (EC2) instances for crypto-mining operations, according to Permiso.
The group prefers to use GUI tools such as the S3 Browser for access and then continues operations via the web browser. GUI-vil has been linked to Indonesia because the source IP addresses associated with the activities are linked to two Autonomous System Numbers (ASNs) located in Indonesia.
Impact
The threat is of medium severity, but it can expose sensitive and confidential information. The initial vector in Vulnerable Gitlab CVE-2021-22205 is publicly exposed credentials.
DXC perspective
In addition to securing your infrastructure with advanced threat protection tools, we recommend these defense and mitigation strategies:
- Monitor the network and endpoints for C2 traffic, abnormal user behavior and stolen credentials. Patch vulnerabilities.
- Configure EC2 properly: Port 22 should not be open to 0.0.0.0.
- Install and regularly update antivirus software on all hosts and enable real-time detection.
- Install updates/patch operating systems, software and firmware as soon as updates/patches are released.
Threat-hunting tips
TTPs:
Permiso researchers provided this TTP chart of the attack lifecycle:
IOCs
182.1.229.252 | IPv4 | PT. Telekomunikasi Selular |
114.125.247.101 | IPv4 | PT. Telekomunikasi Selula |
114.125.245.53 | IPv4 | PT. Telekomunikasi Selula |
114.125.247.101 | IPv4 | PT. Telekomunikasi Selula |
114.125.232.189 | IPv4 | PT. Telekomunikasi Selula |
114.125.228.81 | IPv4 | PT. Telekomunikasi Selula |
114.125.229.197 | IPv4 | PT. Telekomunikasi Selula |
114.125.246.235 | IPv4 | PT. Telekomunikasi Selula |
114.125.246.43 | IPv4 | PT. Telekomunikasi Selula |
36.85.110.142 | IPv4 | PT Telekomunikasi Indonesia |
https://s3browser.com/ | ||
https://s3browser.com/ | ||
su32 | SSH Key | |
new-user-<8 alphanumeric characters> | IAM User | default naming standard for creating a user with S3 Browser |
sec_audit | IAM User | |
sdgs | IAM Policy | |
ter | IAM Policy | |
backup | IAM User | |
dq | IAM Policy |