Cybersecurity firm finds hidden Monero mining malware on AWS Marketplace

Quick Take

  • A publicly-available instance on an Amazon Web Services (AWS) community marketplace contains Monero mining malware, according to a cybersecurity firm.
  • Mitiga said in a note Friday that the discovery highlights the risk in using unverified offerings on the AWS marketplace.
  • The firm said that thus far, only one example of this has been discovered thus far.

A cybersecurity firm said Friday that it discovered hidden  mining malware on a virtualized instance offered through an Amazon Web Services (AWS) community marketplace.

Incidents of so-called "cryptojacking" have been reported for years, referring to the myriad ways by which clandestine code — typically for the cryptocurrency Monero — is used to infect computers for the purposes of creating hashpower. Late last month, for example, a group of researchers at Cisco Talos revealed details of a cryptojacking botnet discovered in March with victims spread through North America, Asia and South America.

The vulnerability notice published by Mitiga highlighted malicious code discovered in an Amazon Machine Instance (AMI) available on the AWS Marketplace. AWS Marketplace allows for the sale and offering of many different kinds of virtualized services and applications, including operating systems.

The marketplace is populated by trusted vendors who are certified by AWS, but any AWS user can create an AMI and make it publicly available for those who use the service as well. It's in one of these so-called community offerings that Mitiga said it discovered the malicious code.

"At a recent customer engagement with a financial institution, we were asked to assess its environment's cloud resiliency, in order to be better prepared for a possible incident. As part of our assessment of the organization’s AWS environment against a bank of attack scenarios, we discovered an active crypto miner on one of the company's EC2 servers," Mitiga explained in its notice. "The crypto miner didn’t find itself there by means of an exploit or misconfiguration – rather, it was there the entire time, courtesy of the AMI that was used to create the EC2 instance it was running in from the get-go."

According to screenshots shared with The Block, the AMI — a Windows Server 2008 offering — contained code for NsCpuCNMiner64, a known Trojan malware type that secretly uses a computer's processing power to mine.


Keep up with the latest news, trends, charts and views on crypto and DeFi with a new biweekly newsletter from The Block's Frank Chaparro

By signing-up you agree to our Terms of Service and Privacy Policy
By signing-up you agree to our Terms of Service and Privacy Policy

Mitiga told The Block that reached out to Amazon about the issue, but as of yesterday had not received a response. The press office for AWS did not respond to an emailed request for comment.

Yet in its on-site documentation, AWS notes that the use of such community AMIs carry their own risks. "Amazon can't vouch for the integrity or security of AMIs shared by other Amazon EC2 users. Therefore, you should treat shared AMIs as you would any foreign code that you might consider deploying in your own data center and perform the appropriate due diligence. We recommend that you get an AMI from a trusted source," the service explains.

Speaking to The Block, Ofer Maor, co-founder and CTO of Mitiga, said that the AMI was the only example discovered at this time, but stressed that "there are thousands and thousands of Community AMIs and there are no details as to download amounts, who published them etc. Do you see how problematic this thing is?" 

"Our professional opinion is to issue a security advisory because we feel the risk is that high," Maor continued.

In the notice, Mitiga cautioned that the hidden Trojan highlights the risk of using unverified Community AMIs and recommends the use of those offered by trusted sources

"Out of an abundance of caution, if you are utilizing such a Community AMI, we recommend verifying or terminating these instances, and seeking AMIs from trusted sources."

© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.