A threat actor called p0-LUCR-1, aka GUI-vil (Goo-ee-vil), has been observed targeting Amazon Web Services (AWS) Elastic Compute Cloud (EC2) instances for crypto-mining operations, according to Permiso.

The group prefers to use GUI tools such as the S3 Browser for access and then continues operations via the web browser. GUI-vil has been linked to Indonesia because the source IP addresses associated with the activities are linked to two Autonomous System Numbers (ASNs) located in Indonesia.

Impact

The threat is of medium severity, but it can expose sensitive and confidential information. The initial vector in Vulnerable Gitlab CVE-2021-22205 is publicly exposed credentials.

DXC perspective

In addition to securing your infrastructure with advanced threat protection tools, we recommend these defense and mitigation strategies:

  • Monitor the network and endpoints for C2 traffic, abnormal user behavior and stolen credentials. Patch vulnerabilities.
  • Configure EC2 properly: Port 22 should not be open to 0.0.0.0.
  • Install and regularly update antivirus software on all hosts and enable real-time detection.
  • Install updates/patch operating systems, software and firmware as soon as updates/patches are released.

Threat-hunting tips

TTPs:

Permiso researchers provided this TTP chart of the attack lifecycle:

IOCs

182.1.229.252

IPv4

PT. Telekomunikasi Selular

114.125.247.101

IPv4

PT. Telekomunikasi Selula

114.125.245.53

IPv4

PT. Telekomunikasi Selula

114.125.247.101

IPv4

PT. Telekomunikasi Selula

114.125.232.189

IPv4

PT. Telekomunikasi Selula

114.125.228.81

IPv4

PT. Telekomunikasi Selula

114.125.229.197

IPv4

PT. Telekomunikasi Selula

114.125.246.235

IPv4

PT. Telekomunikasi Selula

114.125.246.43

IPv4

PT. Telekomunikasi Selula

36.85.110.142

IPv4

PT Telekomunikasi Indonesia

https://s3browser.com/

  

https://s3browser.com/

  

su32

SSH Key

 

new-user-<8 alphanumeric characters>

IAM User

default naming standard for creating a user with S3 Browser

sec_audit

IAM User

 

sdgs

IAM Policy

 

ter

IAM Policy

 

backup

IAM User

 

dq

IAM Policy