• Using a compromised EC2 instance token, multiple high-powered EC2 instances are started.

Possible Root Causes

  • An attacker is leveraging a compromised EC2 instance and/or token to create powerful EC2 instances for use in cryptomining.
  • Internal infrastructure and applications are configured to create highly powered EC2 instances to enable compute intensive operations to occur in support of that application.

Business Impact

  • High powered EC2 instances utilized for cryptomining result in significant costs billed to the organization that owns the AWS account.

Steps to Verify

  • Investigate the source of the EC2 instances being started to determine if this resource should be creating new, high-powered, EC2 instances.
  • Investigate the newly created EC2 instances to determine their purpose and ensure they are not malicious.
  • If review indicates possible malicious actions, perform a comprehensive investigation to determine initial source of EC2 compromise, remove EC2 access and remediate compromised resources and accounts.