In the ever-evolving world of cyber threats, a group of financially motivated cybercriminals from Indonesia has been making waves by exploiting Amazon Web Services (AWS) Elastic Compute Cloud (EC2) instances for their illicit cryptocurrency mining operations. This group, known as “GUI-vil” (pronounced Goo-ee-vil), has caught the attention of security experts for their creative approach to reaping profits from crypto mining while seamlessly blending into the AWS environment.

Initially detected by Permiso P0 Labs in November 2021, GUI-vil has demonstrated a preference for Graphical User Interface (GUI) tools, specifically utilizing S3 Browser (version 9.5.5) during the initial stages of their operations. Gaining access to AWS Console, they maneuver directly through the web browser to carry out their activities.

GUI-vil’s attack chains begin with obtaining initial access by exploiting AWS keys present in publicly exposed source code repositories on GitHub or by scanning for vulnerable GitLab instances susceptible to remote code execution flaws such as CVE-2021-22205. Once successful, the threat actor escalates privileges and conducts internal reconnaissance to assess available S3 buckets and identify accessible services within the AWS web console.

What sets GUI-vil apart is their meticulous attempt to avoid detection and maintain persistence within the victim’s environment. They accomplish this by creating new user accounts that adhere to a specific naming convention, seamlessly blending in with legitimate users. Moreover, they generate access keys for these new identities to ensure uninterrupted usage of S3 Browser. Alternatively, GUI-vil has been observed creating login profiles for existing users, flying under the radar while still gaining access to the AWS console.

GUI-vil’s activities trace back to Indonesia, as their source IP addresses are associated with two Autonomous System Numbers (ASNs) based in the Southeast Asian country. This connection further emphasizes their origins in the region. The primary goal of this group is to establish EC2 instances that facilitate their crypto mining operations. Interestingly, the profits they derive from crypto mining are often a mere fraction of the expenses borne by victim organizations that unknowingly run these compromised EC2 instances.

To protect yourself and your organization from similar threats, it’s crucial to stay informed and adopt robust security measures. Here are some essential tips to safeguard your environment from these types of exploits:

• Regularly review and secure your source code repositories, ensuring that AWS keys are not inadvertently exposed.
• Keep your GitLab instances up to date and patched against known vulnerabilities.
• Enforce strict access controls and user management practices within your AWS Console.
• Conduct routine internal reconnaissance to detect any signs of unauthorized access or suspicious activities.
• Employ reliable intrusion detection and prevention systems to identify and respond to anomalous behaviors.
• Continuously monitor user accounts and access privileges, promptly revoking unnecessary permissions.
• Implement multi-factor authentication (MFA) for all user accounts to add an extra layer of security.
• Educate your team about common phishing and social engineering tactics to prevent unauthorized disclosures.
• Regularly monitor network traffic and system logs for indications of crypto mining activities.
• Stay updated with AWS’s latest security patches and recommendations to stay ahead of emerging threats.

By adhering to these best practices, small businesses can bolster their defenses against crypto mining exploits and minimize the potential impact of such attacks. In the ever-changing landscape of cybersecurity, it’s vital to remain vigilant, adapt to new attack techniques, and implement proactive security measures to stay one step ahead of cybercriminals. Stay informed and safeguard your digital assets.