Threat Actors Target AWS EC2 Workloads to Steal Credentials<\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/j\/threat-actors-target-aws-ec2-workloads-to-steal-credentials.html\"><br \/>\n<meta property=\"og:title\" content=\"Threat Actors Target AWS EC2 Workloads to Steal Credentials\"><br \/>\n<meta property=\"og:description\" content=\"We found malicious samples attempting to steal Amazon Elastic Compute Cloud (EC2) Workloads' access keys and tokens via typosquatting and the abuse of legitimate tools. \"><br \/>\n<meta property=\"og:site_name\" content=\"Trend Micro\"><br \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/22\/cover-threat-actors-target-aws-ec2-workloads-to-steal-credentials.jpg\"><br \/>\n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"><br \/>\n<meta name=\"twitter:site\" content=\"@TrendMicro\"><br \/>\n<meta name=\"twitter:title\" content=\"Threat Actors Target AWS EC2 Workloads to Steal Credentials\"><br \/>\n<meta name=\"twitter:description\" content=\"We found malicious samples attempting to steal Amazon Elastic Compute Cloud (EC2) Workloads' access keys and tokens via typosquatting and the abuse of legitimate tools. \"><br \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/22\/cover-threat-actors-target-aws-ec2-workloads-to-steal-credentials.jpg\"> <\/head> <body class=\"articlepage page basicpage context-business\" id=\"readabilityBody\" readability=\"50.290079716563\">  <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <span class=\"icon-chevron-up\"><\/span> <\/a>  <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"1793364638\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"7.7714285714286\">\n<div class=\"article-details\" role=\"heading\" readability=\"34.971428571429\"> <span class=\"article-details__bar\" role=\"img\"><\/span> <\/p>\n<p class=\"article-details__display-tag\">Cloud<\/p>\n<p class=\"article-details__description\">We found malicious samples attempting to steal Amazon Elastic Compute Cloud (EC2) Workloads’ access keys and tokens via typosquatting and the abuse of legitimate tools. <\/p>\n<p class=\"article-details__author-by\">By: Nitesh Surana <time class=\"article-details__date\">October 26, 2022<\/time> <span>Read time: <\/span><span class=\"eta\"><\/span> (<span class=\"words\"><\/span> words) <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-md-8 col-md-push-2\"> <\/p>\n<div class=\"richText\" readability=\"38.875439831105\">\n<div readability=\"24.957072484166\">\n<p>Recently, we came across an exploitation attempt leveraging monitoring and visualization tool <a href=\"https:\/\/www.weave.works\/docs\/scope\/latest\/installing\/\">Weave Scope<\/a> to enumerate the Amazon Web Services (AWS) instance metadata service (<a href=\"https:\/\/docs.aws.amazon.com\/AWSEC2\/latest\/UserGuide\/ec2-instance-metadata.html\">IMDS<\/a>) from Elastic Compute Cloud (EC2) instances through environment variables and the IMDS endpoint. The abuse of this tool can allow the exfiltration of access keys and tokens to a domain possibly owned by the attacker and uses a dated technique called <a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/news\/cybercrime-and-digital-threats\/typosquatting-tactic-tricks-mac-users-into-downloading-potentially-unwanted-application\">typosquatting<\/a> on AWS-owned domain <i>amazonaws.com<\/i>. This is followed by the use of masscan and zgrab to find Weave Scope user interface (UI) instances and the exfiltration of IP addresses and ports found. We advise users to strengthen, reinforce, and customize their respective <a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/news\/virtualization-and-cloud\/cloud-security-key-concepts-threats-and-solutions\">cloud security<\/a> policies, developer-centric tools, and measures to mitigate the impact of compromise from threats and attacks.<\/p>\n<p><span class=\"main-subtitle-black\">Execution flow<\/span><\/p>\n<p>We previously <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/21\/l\/more-tools-in-the-arsenal-how-teamtnt-used-compromised-docker-hu.html\">reported<\/a> on the abuse of legitimate tools, specifically abusing Weave Scope, for nefarious purposes. In this attempt on our honeypot, we observed that the attackers gained entry via an exposed Docker REST API server, which is known to be leveraged by threat actors like <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/i\/security-breaks-teamtnts-dockerhub-credentials-leak.html\">TeamTNT<\/a>. In this sample, the attackers created a container and mounted the underlying host\u2019s root directory to the path <<i>\/host><\/i> within the container. Afterward, a script named <i>init.sh<\/i> was executed when the container was created even without any other command being supplied for execution.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/j\/threat-actors-target-aws-ec2-workloads-to-steal-credentials\/fig1-threat-actors-target-aws-ec2-workloads-via-typosquatting-to-steal-credentials.png\" alt=\"fig1-threat-actors-target-aws-ec2-for-credentials-typosquatting\"><figcaption>Figure 1. The environment variables are set for the child processes emanating from the executed init.sh script.<\/figcaption><\/figure>\n<\/p><\/div>\n<div>\n<div class=\"richText\" readability=\"47\">\n<div readability=\"39\">\n<p>The <i>HOME<\/i> environment variable is set to <i>\/root<\/i> so that the other processes emanating from this script will consider the <i>\/root<\/i> directory to be the <i>HOME<\/i> variable. The command history is not logged, and later the environment variable itself is deleted. The <i>PATH<\/i> variable also contains the path <<i>\/root\/.local\/bin<\/i>>. There are language localization-specific parameters set to enforce the language to be uniform throughout the execution of the script.<\/p>\n<p>Afterward, certain tools that enable the attacker\u2019s script for executing are installed using Alpine Package Keeper or apk to install <i>wget, curl, jq, masscan, libpcap-dev, <\/i>and <i>docker<\/i> in the base image for the alpine-based container image. The following two variables are declared:<\/p>\n<p>1. SCOPE_SH, a Base64-encoded string that installs Weave Scope<\/p>\n<p>2. WS_TOKEN, a secret access token that can be used to include hosts in fleets<\/p>\n<p><span class=\"main-subtitle-black\">Script functions<\/span><\/p>\n<p>In analyzing the script, we observed and broke down four functions designed for various implementations in the attack: main, wssetup, checkkey, and getrange.<\/p>\n<p><span class=\"body-subhead-title\">main<\/span><\/p>\n<p>The main function calls the other three functions in sequence. Initially, <i>nohup<\/i> executes the Docker daemon (dockerd<i>)<\/i> to keep the process running even after exiting the shell. The streams STDOUT and STDERR are piped to <i>\/dev\/null<\/i> to show no output on the screen upon execution.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/j\/threat-actors-target-aws-ec2-workloads-to-steal-credentials\/fig2-threat-actors-target-aws-ec2-workloads-via-typosquatting-to-steal-credentials.png\" alt=\"fig2-threat-actors-target-aws-ec2-for-credentials-typosquatting\"><figcaption>Figure 2. Function main <\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34.354838709677\">\n<div readability=\"14.723502304147\">\n<p><span class=\"body-subhead-title\">wssetup<\/span><\/p>\n<p>This function decodes the content of variable SCOPE_SH using utility <i>base64<\/i>. wssetup also silently executes the command line <i>scope launch \u2013service-token=$WS_TOKEN<\/i> to make the host a part of the attacker\u2019s Weave Scope fleet.<\/p>\n<p>Earlier, we <a href=\"https:\/\/www.trendmicro.com\/en_gb\/research\/21\/l\/more-tools-in-the-arsenal-how-teamtnt-used-compromised-docker-hu.html#:~:text=A%20variable%20%E2%80%98SCOPE_TOKEN%E2%80%99%20is%20populated%20from%20a%20controlled%20endpoint%2C%20which%20contains%20the%20Weave%20Scope%20service%20token.%20%E2%80%98SCOPESHFILE%E2%80%99%20contains%20the%20Weave%20Scope%20script%2C%20which%20is%20encoded%20in%20base64.\">observed<\/a> the exploitation of Docker REST API wherein the scope token is fetched from the attacker\u2019s infrastructure. In this case, however, the token itself is hard-coded in the script.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/j\/threat-actors-target-aws-ec2-workloads-to-steal-credentials\/fig3-threat-actors-target-aws-ec2-workloads-via-typosquatting-to-steal-credentials.png\" alt=\"fig3-threat-actors-target-aws-ec2-for-credentials-typosquatting\"><figcaption>Figure 3. Function wssetup<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<p><span class=\"body-subhead-title\">checkkey<\/span><\/p>\n<p>This function checks for the file \u201c<i>\/host\/root\/.aws\/credentials<\/i>\u201d. It is interesting to note that the path <i>\/host<\/i> in the container maps back to the root directory \u201c\/\u201d on the host. If the file exists, then it is sent via a <i>curl<\/i> request to the attacker\u2019s endpoint.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/j\/threat-actors-target-aws-ec2-workloads-to-steal-credentials\/fig4-threat-actors-target-aws-ec2-workloads-via-typosquatting-to-steal-credentials.png\" alt=\"fig4-threat-actors-target-aws-ec2-for-credentials-typosquatting\"><figcaption>Figure 4. Function checkkey<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"39.714439655172\">\n<div readability=\"25.495689655172\">\n<p>If the function does not find credentials in local file systems and remote file shares (Mitre ID <a href=\"https:\/\/attack.mitre.org\/techniques\/T1552\/001\/\">T1552.001<\/a> Unsecured Credentials: Credentials In Files), the IMDS endpoints are queried using <i>curl<\/i> or <i>wget <\/i>whether they are available or not. The output is processed through a series of <i>grep<\/i> and <i>sed<\/i> operations, and the output is accumulated in hidden files \u201c<i>.iam<\/i>\u201d and \u201c.<i>ec2<\/i>\u201d (Mitre ID <a href=\"https:\/\/attack.mitre.org\/techniques\/T1564\/001\/\">T1564.001<\/a> Hide Artifacts: Hidden Files and Directories).<\/p>\n<p>Once the credentials have been gathered, they are combined into one hidden file named \u201c<i>.aws<\/i>\u201d, separated by two new lines, while the original files are removed. Later, the environment variables of each process are searched for via \u201cAWS\u201d or \u201cEC2\u201d, and appended to the file \u201c.<i>aws<\/i>\u201d with two new lines added.<\/p>\n<p>Once the file at <<i>$HOME\/\u2026aws<\/i>> is ready with all the credentials collected, the file is exfiltrated to the domain \u201camazon2aws.com\u201d via <i>curl<\/i> and then removed.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/j\/threat-actors-target-aws-ec2-workloads-to-steal-credentials\/fig5-threat-actors-target-aws-ec2-workloads-via-typosquatting-to-steal-credentials.png\" alt=\"fig5-threat-actors-target-aws-ec2-for-credentials-typosquatting\"><figcaption>Figure 5. Searching for mentions of AWS or EC2 in the environment variables of each process<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/j\/threat-actors-target-aws-ec2-workloads-to-steal-credentials\/fig6-threat-actors-target-aws-ec2-workloads-via-typosquatting-to-steal-credentials.png\" alt=\"fig6-threat-actors-target-aws-ec2-for-credentials-typosquatting\"><figcaption>Figure 6. Exfiltrating collected credentials<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34.5\">\n<div readability=\"14\">\n<p><span class=\"body-subhead-title\">getrange and rangescan<\/span><\/p>\n<p>This function takes in an argument, <i>RANGE<\/i>, which is later passed on to another function called <i>rangescan<\/i>. This second function uses zgrab to scan the IP addresses in <i>RANGE<\/i> for accessible Weave Scope UI on ports 80, 443, and 4040, the default ports used by Weave Scope UI.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/j\/threat-actors-target-aws-ec2-workloads-to-steal-credentials\/fig7-threat-actors-target-aws-ec2-workloads-via-typosquatting-to-steal-credentials.png\" alt=\"fig7-threat-actors-target-aws-ec2-for-credentials-typosquatting\"><figcaption>Figure 7. Functions getrange and rangescan<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"38.062780269058\">\n<div readability=\"23.789237668161\">\n<p>Our observations showed there is no value supplied to <i>getrange.<\/i> Rather it fetches the IP addresses from <i>ipranges.txt<\/i>, which contains Classless Inter-Domain Routing (CIDRs) that are to be scanned for Weave Scope UI instances. Network enumeration tools like <i>masscan<\/i> and <i>zgrab<\/i> are used to find the IP addresses and UI instances. When accessible instances of Weave Scope UI are found, the corresponding IP address and port are exfiltrated using <i>curl<\/i> to the attacker-controlled server <i>amazon2aws.com<\/i>.<\/p>\n<p><span class=\"main-subtitle-black\">Domain transferred<\/span><\/p>\n<p>Analyzing the attacker-controlled server, we came across a <a href=\"https:\/\/www.adrforum.com\/DomainDecisions\/1996670.htm\">complaint<\/a> raised by Amazon Technologies, Inc., a research and development subsidiary of Amazon.com, Inc., against the registrant Nice IT Services Group Inc.\/Customer Domain Admin, the former owner of the malicious typosquat domain. <a href=\"https:\/\/www.wipo.int\/amc\/en\/domains\/gtld\/\">Uniform Domain Name Dispute Resolution Policy<\/a> (UDRP) is a legal framework for the resolution of domain name disputes among registrants. Reviewing the decision of the administrative panel, we noted that the domain was later transferred to Amazon Technologies, Inc. in June 2022 in the \u201cFindings\u201d section:<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/j\/threat-actors-target-aws-ec2-workloads-to-steal-credentials\/fig8-threat-actors-target-aws-ec2-workloads-via-typosquatting-to-steal-credentials.png\" alt=\"fig8-threat-actors-target-aws-ec2-for-credentials-typosquatting\"><figcaption>Figure 8. A decision in the Findings section <\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<p>Checking with VirusTotal for the IP addresses used to resolve the domain complaint, we observed that the documented history of amazon2aws[.]com and teamtnt[.]red may be related to the threat actor group TeamTNT.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/j\/threat-actors-target-aws-ec2-workloads-to-steal-credentials\/fig9-threat-actors-target-aws-ec2-workloads-via-typosquatting-to-steal-credentials.png\" alt=\"fig9-threat-actors-target-aws-ec2-for-credentials-typosquatting\"><figcaption>Figure 9. Common IP address that both domains resolved to<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33.3046875\">\n<div readability=\"14.2734375\">\n<p><span class=\"main-subtitle-black\">Conclusion<\/span><\/p>\n<p>Even though the exposure of Docker REST API has been reduced according to Shodan scan results, it\u2019s important to know that the aforementioned techniques and procedures can be combined with other known or unknown vulnerabilities in the targeted systems. Attackers are consistently working on their arsenal, testing and building different tools, often abusing legitimate tools and platforms. In December 2021, we <a href=\"https:\/\/www.trendmicro.com\/en_us\/devops\/21\/l\/how-to-detect-apache-http-server-exploitation.html\">published<\/a> an entry about vulnerability <a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2021-40438\">CVE-2021-40438<\/a> in Apache HTTP Server, which allowed for Server Side Request Forgery (SSRF) when exploited. We have also observed <a href=\"https:\/\/www.trendmicro.com\/en_us\/devops\/21\/l\/how-to-detect-apache-http-server-exploitation.html#:~:text=the%20vulnerable%20hosts.-,CVE%2D2021%2D40438,-%3A%0AThis%20CVE\">attempts<\/a> where the AWS IMDS was being queried.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/j\/threat-actors-target-aws-ec2-workloads-to-steal-credentials\/fig10-threat-actors-target-aws-ec2-workloads-via-typosquatting-to-steal-credentials.png\" alt=\"fig10-threat-actors-target-aws-ec2-for-credentials-typosquatting\"><figcaption>Figure 10. Shodan scan results on exposed Docker REST API<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"45.190943396226\">\n<div readability=\"35.755471698113\">\n<p>As companies adopt cloud platforms, attackers also build their tools for exploiting these cloud services and infrastructure. As defenders, we need to be aware of what attackers are targeting after gaining entry, as well as which methods are needed to disable, disarm, and contain the threats. We <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/h\/analyzing-hidden-danger-of-environment-variables-for-keeping-secrets.html\">published<\/a> our research on the possible threat scenarios and mitigation steps since developers use environment variables to store secrets and credentials.<\/p>\n<p><span class=\"main-subtitle-black\">Trend Micro solutions<\/span><\/p>\n<p>Trend Micro Cloud One\u2122 \u2013 Workload Security equips defenders and analysts with the ability to protect systems against vulnerabilities, exploits, and malware, offering protection from on-premise to cloud workloads. Virtual patching can protect critical systems even before the official patches become available.<\/p>\n<p>Trend Micro\u2122 Vision One\u2122 provides a clear view of the most important events as alerts in a concise manner because the race is about quick responses. Using XDR capabilities with telemetries from your multicloud environments or on-premises workloads, security teams gain a vivid understanding of what to prioritize.<\/p>\n<p><span class=\"main-subtitle-black\">Indicators of Compromise (IOCs)<\/span><\/p>\n<p>amazon2aws[.]com Phishing page<\/p>\n<p>ae01fb6c4ab1cf3c12b53ae927e9a4e0b0bc63fe73e4313be223c9f49bdd03fe Trojan.SH.DLOADR.BJ<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\n<p>Tags<\/p>\n<\/section>\n<p> <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p>   <\/p>\n<p> <span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n<p>   <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/j\/threat-actors-target-aws-ec2-workloads-to-steal-credentials.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>We found malicious samples attempting to steal Amazon Elastic Compute Cloud (EC2) Workloads’ access keys and tokens via typosquatting and the abuse of legitimate tools. Read More HERE…<\/p>\n","protected":false},"author":2,"featured_media":49027,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,9520,9538,9521,9511,9555,9536],"class_list":["post-49026","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-cloud","tag-trend-micro-research-compliancerisks","tag-trend-micro-research-cyber-crime","tag-trend-micro-research-cyber-threats","tag-trend-micro-research-exploitsvulnerabilities","tag-trend-micro-research-privacyrisks"],"yoast_head":"\n<title>Threat Actors Target AWS EC2 Workloads to Steal Credentials 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/threat-actors-target-aws-ec2-workloads-to-steal-credentials\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Threat Actors Target AWS EC2 Workloads to Steal Credentials 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/threat-actors-target-aws-ec2-workloads-to-steal-credentials\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2022-10-26T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/22\/cover-threat-actors-target-aws-ec2-workloads-to-steal-credentials.jpg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/threat-actors-target-aws-ec2-workloads-to-steal-credentials\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/threat-actors-target-aws-ec2-workloads-to-steal-credentials\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Threat Actors Target AWS EC2 Workloads to Steal Credentials\",\"datePublished\":\"2022-10-26T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/threat-actors-target-aws-ec2-workloads-to-steal-credentials\\\/\"},\"wordCount\":1430,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/threat-actors-target-aws-ec2-workloads-to-steal-credentials\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/10\\\/threat-actors-target-aws-ec2-workloads-to-steal-credentials.png\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Cloud\",\"Trend Micro Research : Compliance&Risks\",\"Trend Micro Research : Cyber Crime\",\"Trend Micro Research : Cyber Threats\",\"Trend Micro Research : Exploits&Vulnerabilities\",\"Trend Micro Research : Privacy&Risks\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/threat-actors-target-aws-ec2-workloads-to-steal-credentials\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/threat-actors-target-aws-ec2-workloads-to-steal-credentials\\\/\",\"name\":\"Threat Actors Target AWS EC2 Workloads to Steal Credentials 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/threat-actors-target-aws-ec2-workloads-to-steal-credentials\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/threat-actors-target-aws-ec2-workloads-to-steal-credentials\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/10\\\/threat-actors-target-aws-ec2-workloads-to-steal-credentials.png\",\"datePublished\":\"2022-10-26T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/threat-actors-target-aws-ec2-workloads-to-steal-credentials\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/threat-actors-target-aws-ec2-workloads-to-steal-credentials\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/threat-actors-target-aws-ec2-workloads-to-steal-credentials\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/10\\\/threat-actors-target-aws-ec2-workloads-to-steal-credentials.png\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/10\\\/threat-actors-target-aws-ec2-workloads-to-steal-credentials.png\",\"width\":726,\"height\":154},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/threat-actors-target-aws-ec2-workloads-to-steal-credentials\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-articles-news-reports\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Threat Actors Target AWS EC2 Workloads to Steal Credentials\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n","yoast_head_json":{"title":"Threat Actors Target AWS EC2 Workloads to Steal Credentials 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/threat-actors-target-aws-ec2-workloads-to-steal-credentials\/","og_locale":"en_US","og_type":"article","og_title":"Threat Actors Target AWS EC2 Workloads to Steal Credentials 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/threat-actors-target-aws-ec2-workloads-to-steal-credentials\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2022-10-26T00:00:00+00:00","og_image":[{"url":"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/22\/cover-threat-actors-target-aws-ec2-workloads-to-steal-credentials.jpg","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/threat-actors-target-aws-ec2-workloads-to-steal-credentials\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/threat-actors-target-aws-ec2-workloads-to-steal-credentials\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Threat Actors Target AWS EC2 Workloads to Steal Credentials","datePublished":"2022-10-26T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/threat-actors-target-aws-ec2-workloads-to-steal-credentials\/"},"wordCount":1430,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/threat-actors-target-aws-ec2-workloads-to-steal-credentials\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/10\/threat-actors-target-aws-ec2-workloads-to-steal-credentials.png","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Cloud","Trend Micro Research : Compliance&Risks","Trend Micro Research : Cyber Crime","Trend Micro Research : Cyber Threats","Trend Micro Research : Exploits&Vulnerabilities","Trend Micro Research : Privacy&Risks"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/threat-actors-target-aws-ec2-workloads-to-steal-credentials\/","url":"https:\/\/www.threatshub.org\/blog\/threat-actors-target-aws-ec2-workloads-to-steal-credentials\/","name":"Threat Actors Target AWS EC2 Workloads to Steal Credentials 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/threat-actors-target-aws-ec2-workloads-to-steal-credentials\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/threat-actors-target-aws-ec2-workloads-to-steal-credentials\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/10\/threat-actors-target-aws-ec2-workloads-to-steal-credentials.png","datePublished":"2022-10-26T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/threat-actors-target-aws-ec2-workloads-to-steal-credentials\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/threat-actors-target-aws-ec2-workloads-to-steal-credentials\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/threat-actors-target-aws-ec2-workloads-to-steal-credentials\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/10\/threat-actors-target-aws-ec2-workloads-to-steal-credentials.png","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/10\/threat-actors-target-aws-ec2-workloads-to-steal-credentials.png","width":726,"height":154},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/threat-actors-target-aws-ec2-workloads-to-steal-credentials\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"Threat Actors Target AWS EC2 Workloads to Steal Credentials"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/49026","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=49026"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/49026\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/49027"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=49026"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=49026"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=49026"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":49026,"date":"2022-10-26T00:00:00","date_gmt":"2022-10-26T00:00:00","guid":{"rendered":"urn:uuid:f0621366-aa4c-76c3-a94e-dba029f145d8"},"modified":"2022-10-26T00:00:00","modified_gmt":"2022-10-26T00:00:00","slug":"threat-actors-target-aws-ec2-workloads-to-steal-credentials","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/threat-actors-target-aws-ec2-workloads-to-steal-credentials\/","title":{"rendered":"Threat Actors Target AWS EC2 Workloads to Steal Credentials"},"content":{"rendered":"