{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/resource-hijacking/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Amazon ECS","AWS Fargate"],"_cs_severities":["high"],"_cs_tags":["cloud","aws","cryptomining","resource-hijacking","ecs","fargate"],"_cs_type":"advisory","_cs_vendors":["Amazon"],"content_html":"\u003cp\u003eThis threat involves threat actors exploiting compromised AWS credentials to conduct cryptomining activities within Amazon ECS and AWS Fargate environments. This attack typically unfolds when an adversary gains unauthorized access to an AWS account. They then register an Amazon ECS task definition that references a public container image (e.g., from Docker Hub, GitHub Container Registry, Quay, or AWS ECR Public) configured for maximum CPU allocation, specifically 8 or 16 vCPU, to maximize hashrate. Following the task definition registration, the same compromised principal launches ECS workloads using API calls such as \u003ccode\u003eRunTask\u003c/code\u003e, \u003ccode\u003eStartTask\u003c/code\u003e, or \u003ccode\u003eCreateService\u003c/code\u003e. This pattern, correlating both the registration of a high-compute public image and its subsequent deployment by the same identity, is a strong indicator of active cryptomining operations, distinguishing it from potentially benign standalone task registrations and significantly reducing false positives.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAdversary compromises AWS credentials (e.g., through phishing, exposed access keys, or vulnerable applications).\u003c/li\u003e\n\u003cli\u003eUsing the compromised credentials, the adversary gains unauthorized access to the AWS environment, often targeting ECS/Fargate.\u003c/li\u003e\n\u003cli\u003eThe adversary registers a new Amazon ECS task definition by invoking the \u003ccode\u003eRegisterTaskDefinition\u003c/code\u003e API.\u003c/li\u003e\n\u003cli\u003eThe registered task definition specifies a container image hosted on a public repository (e.g., \u003ccode\u003edocker.io\u003c/code\u003e, \u003ccode\u003eghcr.io\u003c/code\u003e, \u003ccode\u003equay.io\u003c/code\u003e, or \u003ccode\u003epublic.ecr.aws\u003c/code\u003e) which contains cryptomining software.\u003c/li\u003e\n\u003cli\u003eThe task definition is configured to request a high CPU allocation (8192 units for 8 vCPU or 16384 units for 16 vCPU) to maximize cryptomining efficiency.\u003c/li\u003e\n\u003cli\u003eThe adversary subsequently launches ECS workloads, services, or tasks based on this malicious task definition using API calls such as \u003ccode\u003eRunTask\u003c/code\u003e, \u003ccode\u003eStartTask\u003c/code\u003e, or \u003ccode\u003eCreateService\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe newly launched ECS tasks or services begin executing the cryptomining software, consuming significant AWS compute resources in the compromised account.\u003c/li\u003e\n\u003cli\u003eThe attacker benefits from the unauthorized use of cloud resources for cryptocurrency generation, while the victim incurs unexpected cloud costs and potential service degradation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation results in significant financial impact for the victim organization due to unauthorized and excessive consumption of AWS compute resources. Cryptomining operations, especially those configured for high CPU usage on services like Amazon ECS and Fargate, can lead to unexpectedly high cloud bills. Beyond direct costs, the resource hijacking can degrade the performance of legitimate services running on the same AWS account or impact overall cloud resource availability. This attack pattern signifies a credential compromise, which can lead to further unauthorized activities, data exfiltration, or persistence within the cloud environment if not promptly addressed.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor AWS CloudTrail logs for \u003ccode\u003eRegisterTaskDefinition\u003c/code\u003e events where \u003ccode\u003erequest_parameters\u003c/code\u003e indicate a public container image source (e.g., \u003ccode\u003edocker.io\u003c/code\u003e, \u003ccode\u003eghcr.io\u003c/code\u003e, \u003ccode\u003equay.io\u003c/code\u003e, \u003ccode\u003epublic.ecr.aws\u003c/code\u003e) and a high CPU allocation (\u003ccode\u003e8192\u003c/code\u003e or \u003ccode\u003e16384\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eMonitor AWS CloudTrail logs for \u003ccode\u003eRunTask\u003c/code\u003e, \u003ccode\u003eStartTask\u003c/code\u003e, or \u003ccode\u003eCreateService\u003c/code\u003e events that follow a suspicious \u003ccode\u003eRegisterTaskDefinition\u003c/code\u003e by the same principal (\u003ccode\u003eaws.cloudtrail.user_identity.arn\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eReview the \u003ccode\u003eaws.cloudtrail.request_parameters\u003c/code\u003e in \u003ccode\u003eRegisterTaskDefinition\u003c/code\u003e events to identify the specific container image and CPU settings.\u003c/li\u003e\n\u003cli\u003eInvestigate the \u003ccode\u003eaws.cloudtrail.user_identity.arn\u003c/code\u003e and associated \u003ccode\u003esource.ip\u003c/code\u003e for any identified suspicious events to determine if the principal is legitimate or compromised.\u003c/li\u003e\n\u003cli\u003eImplement AWS IAM policies that restrict the ability to register task definitions to only use approved private ECR repositories and limit the CPU allocation for tasks where appropriate.\u003c/li\u003e\n\u003cli\u003eBlock the IOCs listed at the network perimeter or within AWS Network ACLs and Security Groups to prevent outbound connections to known cryptomining pools if observed.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-17T06:44:38Z","date_published":"2026-07-17T06:44:38Z","id":"https://feed.craftedsignal.io/briefs/2026-07-aws-ecs-cryptomining/","summary":"Adversaries, after compromising AWS credentials, deploy cryptomining operations on Amazon ECS and AWS Fargate by registering task definitions with public high-CPU container images and then launching them, leading to unauthorized resource consumption and increased cloud costs.","title":"AWS Potential Cryptomining via ECS Task Definition Deployment","url":"https://feed.craftedsignal.io/briefs/2026-07-aws-ecs-cryptomining/"}],"language":"en","title":"CraftedSignal Threat Feed - Resource-Hijacking","version":"https://jsonfeed.org/version/1.1"}