黑客利用偷来的AWS证书 秘密地用加密货币 由AWS GuardDuty发现 Hackers used stolen AWS credentials to secretly mine cryptocurrency, detected by AWS GuardDuty due to unusual behavior.

2025年11月,黑客利用窃取的AWS IAM证书秘密地对受损的云资源进行加密货币交易,在进入EC2和ECS几分钟内,在EC2和ECS上部署SBRMiner-Multi恶意软件。 In November 2025, hackers used stolen AWS IAM credentials to secretly mine cryptocurrency on compromised cloud resources, deploying SBRMiner-MULTI malware on EC2 and ECS within minutes of gaining access. 通过使用 RunInstances DryRun 标志进行测试,禁用实例终止以求持久性,创建自动扩展的 ECS 集群,并设置公共 Lambda 函数以获得长期访问,从而避免检测. They avoided detection by testing with the RunInstances DryRun flag, disabled instance termination for persistence, created auto-scaling ECS clusters, and set up public Lambda functions for long-term access. AWS GuardDuty通过行为异常检测到该活动,从而向受影响的客户发出警报。 AWS GuardDuty detected the activity via behavioral anomalies, prompting alerts to affected customers. 这一漏洞与长期钥匙等证书管理不善和外交部失踪等相关联,凸显了云层安全做法薄弱的风险。 The breach, linked to poor credential management like long-lived keys and missing MFA, underscores the risks of weak cloud security practices.