Using a compromised EC2 instance token, multiple high-powered EC2 instances are started.
Possible Root Causes
An attacker is leveraging a compromised EC2 instance and/or token to create powerful EC2 instances for use in cryptomining.
Internal infrastructure and applications are configured to create highly powered EC2 instances to enable compute intensive operations to occur in support of that application.
Business Impact
High powered EC2 instances utilized for cryptomining result in significant costs billed to the organization that owns the AWS account.
Steps to Verify
Investigate the source of the EC2 instances being started to determine if this resource should be creating new, high-powered, EC2 instances.
Investigate the newly created EC2 instances to determine their purpose and ensure they are not malicious.
If review indicates possible malicious actions, perform a comprehensive investigation to determine initial source of EC2 compromise, remove EC2 access and remediate compromised resources and accounts.
AWS Cryptomining
Possible root causes
Malicious Detection
Benign Detection
AWS Cryptomining
Example scenarios
AWS Cryptomining
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
Our interactive demo provides a deep dive into the advanced capabilities of our cybersecurity platform, showcasing real-time detection, comprehensive analysis, and proactive threat mitigation.
Don't just read about the possibilities – experience them.