A newly discovered cyber campaign, named “EleKtra-Leak,” has been actively targeting exposed Amazon Web Service (AWS) Identity and Access Management (IAM) credentials found in public GitHub repositories, enabling the threat actors to carry out extensive cryptojacking activities. Researchers from Palo Alto Networks Unit 42, William Gamazo and Nathaniel Quist, have issued a technical report revealing the campaign’s tactics.
The campaign, which has been operational since at least December 2020, focuses on mining the cryptocurrency Monero by leveraging up to 474 unique Amazon Elastic Compute (EC2) instances between August 30 and October 6, 2023.
A remarkable aspect of these attacks is the automated targeting of AWS IAM credentials within just four minutes of their initial exposure on GitHub. This rapid response suggests that threat actors are programmatically scanning repositories to swiftly seize exposed keys. Furthermore, the adversary has been observed blocking AWS accounts that disclose IAM credentials, presumably to deter further analysis.
There is also evidence suggesting that the attacker might be linked to a prior cryptojacking campaign, disclosed by Intezer in January 2021, which targeted poorly secured Docker services using the same custom mining software.
Part of the campaign’s success lies in exploiting gaps in GitHub’s secret scanning feature and AWS’ AWSCompromisedKeyQuarantine policy. This policy is designed to detect and prevent the misuse of compromised or exposed IAM credentials to launch or initiate EC2 instances. While the quarantine policy is enforced within two minutes of the AWS credentials being publicly accessible on GitHub, the means by which the keys are exposed remains undetermined.
Unit 42 has stated that the “threat actor might be able to find exposed AWS keys that aren’t automatically detected by AWS and subsequently control these keys outside of the AWSCompromisedKeyQuarantine policy.”
In the attack sequences identified by the cybersecurity company, the stolen AWS credentials are employed for account reconnaissance, followed by the creation of AWS security groups and the launch of multiple EC2 instances across different regions, all through a virtual private network (VPN).
The cryptojacking operations are carried out on c5a.24xlarge AWS instances, which offer greater processing power, enabling the operators to mine more cryptocurrency in a shorter timeframe.
Notably, the mining software used in these attacks is sourced from a Google Drive URL, indicating a pattern of malicious actors exploiting the trust associated with widely-used applications to evade detection. Additionally, the Amazon Machine Images (AMI) used by the threat actor were distinct as they were private and not listed in the AWS Marketplace.
To counter such attacks, organizations that inadvertently expose AWS IAM credentials are advised to promptly revoke any API connections using the keys, remove them from the GitHub repository, and closely monitor GitHub repository cloning events for any suspicious activities.
The researchers caution that “the threat actor can detect and launch a full-scale mining operation within five minutes from the time of an AWS IAM credential being exposed in a public GitHub repository.” Despite the effectiveness of AWS quarantine policies, the campaign exhibits continuous fluctuations in the number and frequency of compromised victim accounts.
