About
When an attacker compromises an AWS account, they can launch EC2 instances to hijack resources, mine cryptocurrency, or escalate their privileges.
Understanding Impact
Business Impact
An attacker running EC2 virtual machines in your environment represents both a financial risk (increase in your AWS bill) and a liability. Attackers frequently commit abuse and fraud from compromised infrastructure.
Technical Impact
It is common for attackers to run instances in unused regions. When instances are used for cryptocurrency mining, they typically have GPUs attached.
Detection
You can identify when an EC2 instance is launched using the CloudTrail event RunInstances.
In particular, look for:
- Instances being created in regions you do not use.
- Instances with unusual sizes and characteristics for your organization. For example, attackers running EC2 instances to perform cryptocurrency mining frequently use GPU-backed instances such as
p2.xlarge.
Reproduce the attack
You can easily reproduce this attack in a self-contained manner with Stratus Red Team using the following command:
stratus detonate aws.execution.ec2-launch-unusual-instancesSee also the related documentation.
How Datadog can help
Cloud SIEM
Datadog Cloud SIEM detects this attack using the out-of-the-box rule "New EC2 Instance Type".
References
Stratus Red Team - Launch Unusual EC2 instances
stratus-red-team.cloud
Incident where an attacker launched 200+ EC2 instances
web.archive.org
M-Trends 2021
arrow.com
Expel Quarterly Threat Report - Q1 2022
expel.com