A cybersecurity firm has unearthed a Monero mining script - here it quotation in real time - within a public instance of an Amazon Web Service (AWS) virtual machine. Now the company raises the question: How many other Amazon Machine Instances (AMIs) in the community were infected with the same malware?
Mitiga researchers revealed the news in a post last week. “We fear this may be a phenomenon rather than an isolated event,” Mitiga's security research team said in the post.
Monero meets AMI
Businesses and other entities use Amazon Web Services to create what are called “EC2” instances of programs and services. Also known as virtual machines, EC2s are developed by third parties and are deployed as part of the Amazon Machine Instance framework, and businesses leverage these services to reduce the cost of computing power for their business operations.
AWS users can procure these services from Amazon Marketplace AMIs, which are Amazon verified providers, or from community AMIs, which are not verified. Mitiga discovered the offending monero script in a community AMI for a Windows 2008 server while conducting a security audit for a financial services company.
In his analysis, Mititga concluded that the AMI was created with the sole purpose of infecting devices with mining malware, as the script was included in the AMI's code from day one.
The cybersecurity company is not aware of how many other entities and devices could be infected with the malware. “As for how Amazon allows this to happen, well, that's the biggest question that arises from this discovery, but it's a question that should also be asked of the AWS Comms team,” the team said.
The Amazon Web Service documentation includes the disclaimer that users choose to use community AMIs “at [their] risk” and that Amazon “cannot guarantee the integrity or security of [these] AMIs”.
Single event or widespread phenomenon?
Mitiga's main concern is that this malware may be one of the many bugs that spread in unverified AMIs. The fact that Amazon does not provide transparent data on AWS usage exacerbates this concern, the company claims.
Mitiga recommends that any entity running a community AMI discontinue it immediately and make a replacement through a trusted provider. At the very least, companies that rely on AWS should scrutinize the code meticulously before integrating unverified AMIs into their business logic.
Mining malware may actually be the most harmless form of infection a company can experience, Mitiga continued in the post. The worst case scenario includes an AMI that installs a backdoor on a corporate computer or ransomware that encrypts corporate files with the goal of extorting money to regain access.
If Mitiga's fears are true, other AMIs may have infected users' devices with monero mining scripts and go unnoticed.