Monero, the open-source cryptocurrency that focusses on privacy, fungibility, and decentralization, has hit the headlines once again, but this time for all the wrong reasons. The Cado security has identified a Monero Mining Malware infecting thousands of computers, and this time Amazon’s Web Services (AWS) is their target.
The Cybersecurity team found that the crypto worm has been trying to steal AWS credentials for quite some time now. The news is very unexpected in Monero because it is among the top privacy-focused cryptocurrencies.
As per the cybersecurity reports, a Monero Mining script was found embedded into the AWS virtual machine to which Amazon is raising questions for how long the hackers compromise their system. The cybersecurity team is trying to find out the answers, but according to them, the Monero Mining Malware has been active since December 2019 and operating under the name “Blue Mockingbird.”
The worm has infected many Docker and Kubernetes systems in the past by searching and exfiltrating local credentials and then scanning the internet to spread the worm into mis-figured Docker platforms. The news regarding the Monero worm has been under the cybersecurity team’s introspection for quite some time, but this incident with one of the biggest organizations like Amazon stirred up their attention, and the case gained momentum.
As per the cybersecurity experts and researchers at Mitiga, “an AWS AMI for a Windows 2008 virtual server hosted by an unverified vendor” has been infected by the Monero Mining Malware. The AWS virtual machines are also commonly known as EC2s that have been infected by the crypto worm that is basically developed by third parties and deployed under the Amazon’s Web Services (AWS). Businesses leverage these services to lower the expense of their business operations.
AWS users source these operating services from the verified Amazon Marketplace AMIs or from the unverified Community AMIs. While performing a security audit for a finance company, the cybersecurity experts at Mitiga found out that the Monero Script that was used as a hacking device is found in a Community AMI for a Windows 2008 server. According to their investigation reports, the AMI was purposefully created to infect virtual machines and that the Monero Mining Script was embedded into the AMI from the very first day.
However, the representatives of AWS were not available for comment on this incident. Still, the researchers at Mitiga believe that given the potential of the malware, the risk is very high. Still, they are unaware as to how the malware has infected many other devices and entities. To mitigate these risks, the cybersecurity team at Mitiga suggests AWS clients to immediately terminate any unverified community AMI if they are running one and use one from a trusted vendor.
Mining malware is the most nefarious attacks targeted against businesses where infected AMIs are installed into the host machines to encrypt the company’s files and then blackmailing them against a massive amount of money.