EleKtra-Leak Cryptojacking Attacks Exploit AWS IAM Credentials Exposed on GitHub

Oct 30, 2023NewsroomCloud Security / Cryptocurrency

EleKtra-Leak Cryptojacking Attacks

A new ongoing campaign called EleKtra-Leak set its sights on exposed Amazon Web Service (AWS) identity and access management (IAM) credentials within a public GitHub repository to facilitate cryptojacking activities.

“As a result of this, the threat actor associated with the campaign was able to create several AWS Elastic Compute (EC2) instances that they used for extensive and long-term cryptojacking operations,” Palo Alto Networks Unit 42 researchers William Gamazo and Nathaniel Quist SAYS in a technical report shared by The Hacker News.

The operation, which has been active since at least December 2020, is designed to mine Monero from 474 unique Amazon EC2 instances between August 30 and October 6, 2023.

A notable aspect of the attacks was the automated targeting of AWS IAM credentials within four minutes of their initial exposure to GitHub, indicating that threat actors cloned and scan repositories to retrieve exposed keys.

The adversary was also observed to blocklist AWS accounts that communicated IAM credentials in what was likely seen as an effort to prevent further analysis.

Cybersecurity

There is evidence to suggest that the attacker may also be involved in another cryptojacking campaign Intezer revealed in January 2021 aimed at poorly secured Docker services using the same bespoke mining software.

Part of the campaign’s success lies in exploiting blindspots in GitHub and AWS’ hidden scanning features AWSCompromisedKeyQuarantine policy to flag and prevent misuse of compromised or exposed IAM credentials to run or start EC2 instances.

While the quarantine policy is applied within two minutes of publicly accessible AWS credentials on GitHub, it is suspected that the keys were exposed through an unspecified method.

EleKtra-Leak Cryptojacking Attacks

Unit 42 states that a “threat actor may find exposed AWS keys that AWS does not automatically detect and then control these keys outside of the AWSCompromisedKeyQuarantine policy.”

In the attack chains discovered by the cybersecurity company, stolen AWS credentials were used to perform an account reconnaissance operation, followed by AWS security groups and launch multiple EC2 instances in different regions from behind a virtual private network (VPN).

Cryptomining operations are performed in c5a.24xlarge instances of AWS due to their higher processing power, which allows its operators to mine more cryptocurrency in a shorter time.

Cybersecurity

The mining software used to perform the cryptojacking was extracted from the Google Drive URL, highlighting a pattern of malicious actors using the trust associated with widely used applications to fly under the radar.

“The type of Amazon Machine Images (AMI) the used threat actor is also different, “said the researchers. “The identified images are private and they are not listed on the AWS Marketplace.”

To mitigate such attacks, organizations that inadvertently expose AWS IAM credentials are recommended to immediately revoke any API connection using the keys, remove them from the GitHub repository, and audit GitHub repository cloning events for any suspicious operations.

“A threat actor can detect and launch a full mining operation within five minutes from the time an AWS IAM credential is exposed in a public GitHub repository,” the researchers said. “Despite AWS’s successful quarantine policies, the campaign continues to fluctuate in number and frequency of compromised victim accounts.”

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment