When an attacker compromises an AWS account, they can launch EC2 instances to hijack resources, mine cryptocurrency, or escalate their privileges.
An attacker running EC2 virtual machines in your environment represents both a financial risk (increase in your AWS bill) and a liability. Attackers frequently commit abuse and fraud from compromised infrastructure.
It is common for attackers to run instances in unused regions. When instances are used for cryptocurrency mining, they typically have GPUs attached.
You can identify when an EC2 instance is launched using the CloudTrail event
In particular, look for:
- Instances being created in regions you do not use.
- Instances with unusual sizes and characteristics for your organization. For example, attackers running EC2 instances to perform cryptocurrency mining frequently use GPU-backed instances such as
Reproduce the attack
You can easily reproduce this attack in a self-contained manner with Stratus Red Team using the following command:
stratus detonate aws.execution.ec2-launch-unusual-instances
See also the related documentation.
How Datadog can help
Datadog Cloud SIEM detects this attack using the out-of-the-box rule "New EC2 Instance Type".
Stratus Red Team - Launch Unusual EC2 instances
Incident where an attacker launched 200+ EC2 instances
Expel Quarterly Threat Report - Q1 2022