Permiso P0 Labs has identified a financially motivated threat actor of Indonesian origin who is leveraging Amazon Web Services (AWS) Elastic Compute Cloud (EC2) instances to carry out crypto mining operations. This actor, referred to as GUI-vil (pronounced Goo-ee-vil), is known for its use of Graphical User Interface (GUI) tools, specifically S3 Browser (version 9.5.5), and weaponizing AWS keys found in public source code repositories on GitHub or GitLab instances vulnerable to remote code execution flaws. After gaining access, the threat actor will conduct reconnaissance to review S3 buckets and services accessible via the AWS web console, and then create new users or access keys for existing users to blend in and remain in the victim environment. The source IP addresses associated with the activities are linked to two Autonomous System Numbers (ASNs) located in Indonesia, and the group’s primary goal is to generate profits from crypto mining. Unfortunately, the costs of running the EC2 instances often outweigh the profits made by the group.
Source: Hackernews
To mitigate these potential threats, it is important to implement additional cybersecurity measures with the help of a trusted partner like INFRA www.infrascan.net or you can try your self using check.website.