Indonesian group targets AWS for crypto-mining

A threat actor called p0-LUCR-1, aka GUI-vil (Goo-ee-vil), has been observed targeting Amazon Web Services (AWS) Elastic Compute Cloud (EC2) instances for crypto-mining operations, according to Permiso.

The group prefers to use GUI tools such as the S3 Browser for access and then continues operations via the web browser. GUI-vil has been linked to Indonesia because the source IP addresses associated with the activities are linked to two Autonomous System Numbers (ASNs) located in Indonesia.

Impact

The threat is of medium severity, but it can expose sensitive and confidential information. The initial vector in Vulnerable Gitlab CVE-2021-22205 is publicly exposed credentials.

DXC perspective

In addition to securing your infrastructure with advanced threat protection tools, we recommend these defense and mitigation strategies:

• Monitor the network and endpoints for C2 traffic, abnormal user behavior and stolen credentials. Patch vulnerabilities.
• Configure EC2 properly: Port 22 should not be open to 0.0.0.0.
• Install and regularly update antivirus software on all hosts and enable real-time detection.
• Install updates/patch operating systems, software and firmware as soon as updates/patches are released.

Threat-hunting tips

TTPs:

Permiso researchers provided this TTP chart of the attack lifecycle:

IOCs