- Identify the systems that store AWS credential files, and then delete them if they’re not needed. It is common for development credentials to accidentally be left on production systems.
- To limit access to Docker APIs, use firewall rules. We recommend that you use a whitelisted approach to your firewall ruleset.
- Check network traffic for connections to mining pools or use the Stratum mining protocol.
- Check any connections that send the AWS Credentials File over HTTP.
Cado also credited other security research efforts against the cryptominers, such as Trend Micro, Malware Hunter Team, and r3dbU7z.