Gafgyt in cloud AI environments: what IAM and runtime teams should watch

TL;DR: A newer Gafgyt variant is moving from IoT toward Linux-based cloud native and AI environments, using weak SSH passwords, fileless execution, and cryptomining payloads to exploit exposed compute, according to Aqua Security. Runtime policy and runtime enforcement help contain the malware, but they do not remove the underlying access and exposure gaps that let it in.

NHIMG editorial — based on content published by Aqua Security: How to Set Up Runtime Defense Against Threats Like Gafgyt

By the numbers:

• 92% of organisations expose NHIs to third parties, raising concerns about supply chain security.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.

Questions worth separating out

Q: How should security teams reduce risk from weak SSH access on Linux workloads?

A: Security teams should remove password-based SSH where possible, restrict administrative sources, and treat remote shell access as a privileged pathway.

Q: Why do cloud native and AI workloads attract cryptomining malware?

A: They attract cryptomining malware because they offer high-value CPU and GPU capacity that can be monetised quickly.

Q: What do security teams get wrong about fileless malware in containers?

A: They often assume that no file on disk means no practical detection path.

Practitioner guidance

• Harden SSH as a workload identity control Inventory every exposed Linux host and remove password-based SSH where possible.
• Separate runtime detection from exposure reduction Keep container runtime protection in place to catch fileless execution, but pair it with exposure scanning so that prevention starts before the shell is opened.
• Treat cryptomining as a governance signal Alert on unexpected CPU and GPU consumption, suspicious process trees, and miner-style binaries in production.

What's in the full article

Aqua Security's full blog covers the operational detail this post intentionally leaves for the source:

• Step-by-step runtime policy setup in the Aqua console for container workloads
• Specific enforcement options for blocking fileless execution and cryptocurrency mining
• A vendor walkthrough of Aqua Runtime Protection and how it flags malicious behaviour in production
• The support portal path for additional remediation guidance and policy tuning

👉 Read Aqua Security's analysis of Gafgyt runtime defense for AI workloads →

Gafgyt in cloud AI environments: what IAM and runtime teams should watch?

Explore further

View Full Forum →  |  NHI Foundation Course →