Amazon warns of cryptomining campaign abusing AWS IAM
⚠️ Amazon's GuardDuty team is tracking an ongoing cryptomining campaign that uses compromised Identity and Access Management (IAM) credentials to abuse EC2 and ECS resources. The attacker deployed an yenik65958/secret Docker Hub image containing the SBRMiner-MULTI miner and configured large ECS tasks and auto-scaling EC2 groups to maximize mining. The actor also enabled instance termination protection to hinder remediation; Amazon has removed the malicious image, alerted affected customers, and recommends rotating compromised IAM credentials while following GuardDuty mitigation guidance.
