A monero mining malware script is embedded within a public instance of an Amazon Web Service [AWS] virtual machine. Now a important question is being raised by the community: what percentage of other Amazon Machine Instances (AMIs) are infected with a similar malware?
Researchers at cybersecurity firm, Mitiga revealed within an official web-blog post earlier on Friday an AWS AMI for a Windows 2008 virtual server hosted by an unverified vendor is infected with a Monero mining script. The malware would have infected any device running the AMI with the aim of using the device’s processing power to mine the privacy coin monero within the users consent – a malware attack that has become too common in the crypto ecosystem.
Adding further, the blog post adds:
“Mitiga’s security research team has identified an AWS Community AMI containing malicious code running an unidentified crypto [Monero] miner. We’ve concerns that this might be a phenomenon, instead of an isolated occurrence.”
AMI’s Code Embedded From Day One
Businesses and other entities use AWS to spin up what are called “EC2” instances of popular programs and services. Also referred to as virtual machines, these EC2s are developed by 3rd parties and are deployed under the Amazon Machine Instance framework, and businesses leverage these services to lower the prices of compute power for the business operations. AWS users can source these services from Amazon Marketplace AMIs, which are Amazon-verified vendors, or Community AMIs, that are still unverified.
Mitiga discovered this Monero script within a Community AMI for a Windows 2008 Server while conducting a security audit for a financial services company. Within its analysis, Mititga added that the AMI was created with the only purpose of infecting devices with the mining malware, as the script was included within the AMI’s code from day one.
Outside of the financial services company that hired Mitiga to review the AMI, the cybersecurity firm is unaware of what percentage of even other entities and devices could also be infected with such a malware.
On the other hand, Amazon Web Service’s documentation includes the caveat that users prefer to use Community AMIs “at [their] own risk” which Amazon “can’t vouch for the integrity or security of [these] AMIs,” explaining its part of this glitch.