- Using a compromised EC2 instance token, multiple high-powered EC2 instances are started.
Possible Root Causes
- An attacker is leveraging a compromised EC2 instance and/or token to create powerful EC2 instances for use in cryptomining.
- Internal infrastructure and applications are configured to create highly powered EC2 instances to enable compute intensive operations to occur in support of that application.
- High powered EC2 instances utilized for cryptomining result in significant costs billed to the organization that owns the AWS account.
Steps to Verify
- Investigate the source of the EC2 instances being started to determine if this resource should be creating new, high-powered, EC2 instances.
- Investigate the newly created EC2 instances to determine their purpose and ensure they are not malicious.
- If review indicates possible malicious actions, perform a comprehensive investigation to determine initial source of EC2 compromise, remove EC2 access and remediate compromised resources and accounts.
Related MITRE ATT&CK Techniques