August 26, 2020
An incident readiness and response company, Mitiga, has discovered that a product that was for sale on Amazon Web Services contained Monero Mining Malware. Mitiga expressing their findings noted that they learned about the Malware when conducting a security audit for a financial services company.
According to the Mitiga’s blog post, “Mitiga’s security research team has identified an AWS Community AMI containing malicious code running an unidentified Monero crypto miner,” they added, “We have concerns this may be a phenomenon, rather than an isolated occurrence.”
Malware discovered on AWS
Unfortunately, the AWS marketplace allows anyone to sell virtual services on its market. Although the market is full of verified vendors, it also contains offerings from unverified community members.
The AWS marketplace allows anyone to sell virtual services, regrettably. Even though the market is full of verified vendors, it also contains submissions from unverified community members.
They revealed that one community member was selling a Windows 2008 virtual server that secretly used the calculating power of somebody who downloaded it to mine Monero in the background. While it may come up as a surprise that Monero mining malware existed on Amazon’s AWS Marketplace, Amazon’s policy clearly states that:
Attack vendor being reduced
For a buyer to evade falling victim to Malware that might live within community offerings on the AWS marketplace, Mitiga recommends “verifying or terminating these instances [unverified offerings], and seeking AMIs from trusted sources.”
“As AWS customer usage is obfuscated, we can’t know how far and wide this phenomenon stretches without AWS’s investigation,” said Mitiga. “We do, however, believe that the potential risk is high enough to issue a security advisory to all AWS customers using Community AMIs.”