Exploit of AWS IAM Credentials Exposed on GitHub Enables EleKtra-Leak Cryptojacking Attacks

    The active EleKtra-Leak campaign is targeting Amazon Web Service (AWS) identity and access management (IAM) credentials found in public GitHub repositories. Its main goal? Cryptojacking. William Gamazo and Nathaniel Quist, researchers from Palo Alto Networks Unit 42, documented this in a technical report for The Hacker News.

    A Deep Dive into the Operation
    Since December 2020, this operation has been mining the cryptocurrency Monero. Between August 30 and October 6, 2023, it used 474 unique Amazon EC2 instances. The campaign acts swiftly, targeting AWS IAM credentials on GitHub within four minutes of their exposure. This speed suggests that the threat actors programmatically scan and clone repositories to snatch the exposed keys.

    Further Analysis and Connections
    The attacker has also started to blocklist AWS accounts that share IAM credentials. This move hinders further research. Interestingly, this campaign seems connected to another cryptojacking operation that Intezer disclosed in January 2021. Both focus on vulnerabilities but employ the same unique mining software.

    Exploiting Blindspots
    The campaign’s success partly comes from exploiting weaknesses in GitHub’s secret scanning and AWS’s AWSCompromisedKeyQuarantine policy. These tools aim to detect and block the misuse of exposed IAM credentials. However, the keys seem to be slipping through an unidentified method.

    Threat Actor’s Techniques Unveiled
    Researchers at Unit 42 have found that the threat actor can find exposed AWS keys that AWS itself doesn’t automatically detect. Once they have these keys, the actors survey AWS accounts. They then create AWS security groups and launch numerous EC2 instances in different regions. Throughout this, they mask their actions using a virtual private network (VPN). They favor the c5a.24xlarge AWS instances due to its superior processing power, which boosts their mining speed.

    The Cryptojacking Tools
    The attackers source their mining software from a Google Drive URL. This tactic shows how malicious actors exploit the trust people place in popular applications. Notably, the threat actor’s Amazon Machine Images (AMI) are private and don’t appear in the AWS Marketplace, making their activities even more distinctive.

    Protective Measures and Recommendations
    If organizations accidentally leak AWS IAM credentials, they should act fast. They need to revoke any API connections that use the exposed keys, delete them from the GitHub repository, and check GitHub repository cloning events for strange activities. The threat actor can set up a vast mining operation within five minutes of finding an exposed AWS IAM credential on GitHub. Despite AWS’s quarantine efforts, the number of compromised accounts keeps fluctuating.

    Latest articles

    Related articles