Cryptomining Attack

Cryptomining (also called cryptojacking) exploits stolen cloud credentials or vulnerabilities to run cryptocurrency mining software on victim infrastructure.

Why attackers target cloud

• Elastic compute resources can scale quickly.
• Victims pay the cloud bills, not attackers.
• Compromised credentials provide direct API access.
• Detection may be delayed if monitoring is weak.

Common attack vectors

• Compromised IAM credentials or access keys.
• Exposed Docker daemons or Kubernetes APIs.
• Vulnerable web applications with command execution.
• Publicly exposed CI/CD systems.

Indicators of cryptomining

• Unexpected spike in compute costs.
• High CPU utilization on instances.
• Instances launched in unusual regions.
• Network connections to mining pools.
• Processes like xmrig, minerd, or randomx.

Detection strategies

• Set up billing alerts for unusual spending.
• Monitor for EC2/VM launches in all regions.
• Enable GuardDuty, Defender, or SCC threat detection.
• Alert on connections to known mining pools.
• Review instance types (attackers prefer GPU instances).

Response actions

1. Terminate unauthorized instances immediately.
2. Rotate compromised credentials.
3. Check all regions for attacker resources.
4. Review IAM for persistence (new users, roles).
5. Contact cloud provider about fraudulent charges.