Type
Campaign
Actors
Unknown
Pub. date
January 19, 2024
Initial access
Exposed secret
Impact
Resource hijacking
Observed techniques
Cloud compute cryptojackingPublic malicious container image
Observed tools
XMRig
Targeted technologies
AWS Fargate
References
https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/
Status
Finalized
Last edited
Jun 2, 2024 8:02 AM
Datadog observed an attacker leveraging a compromised IAM user access key to gain initial access to an AWS environment, at which point they immediately began spinning up hundreds of ECS Fargate clusters, within which they created ECS task definitions to launch containers based on 40 malicious public Docker Hub images. Overall, the attacker likely succeeded to run thousands of such containers, each running XMRig for cryptomining purposes. Based on the number of downloads of the Docker images, Datadog estimates that this incident was in fact part of larger campaign that might have targeted anywhere between tens and hundreds of thousands of environments.