Cryptojacking Alert! EleKtra-Leak Set To Exploit AWS Credentials on Github

A recent and ongoing initiative known as “EleKtra-Leak” has been focusing on the identification of exposed Amazon Web Service (AWS) Identity and Access Management (IAM) credentials within public GitHub repositories, with the ultimate aim of facilitating cryptojacking activities.

GitHub's IAM Credential Leak: A Gateway to Covert Cyber Attacks 🚨

EleKtra-Leak is an emerging cryptojacking campaign and attackers are using automated tools to scour public GitHub repositories for any inadvertently disclosed credentials. #cloudsecurity

— Windows Mgmt Experts (@WinMgmtExperts) October 30, 2023

More Details

The threat actors responsible for this campaign, which has been active since at least December 2020, managed to create numerous AWS Elastic Compute (EC2) instances for the purpose of conducting extensive and prolonged cryptojacking operations. 

Objective: Mining the cryptocurrency Monero, and they succeeded in compromising up to 474 distinct Amazon EC2 instances during the period from August 30 to October 6, 2023.

Unique Disruptive Measure

What sets this campaign apart is its automated approach to identifying AWS IAM credentials within four minutes of their initial exposure on GitHub. 

This suggests that the threat actors are systematically monitoring and scanning repositories to seize these exposed keys quickly.

It has tended to block AWS accounts that publicly disclose IAM credentials. This action is likely taken to impede any further investigation into their activities.

Do We Have Any Links?

There is evidence to suggest a potential link between the attacker behind this campaign and other crypto jacking operations disclosed by Intezer in January 2021. 

This earlier campaign was focused on targeting poorly secured Docker services, and it employed the same custom mining software.

The effectiveness of EleKtra-Leak largely hinges on its ability to exploit weaknesses in GitHub’s secret scanning capability and AWS’s AWSCompromisedKeyQuarantine protocol.

This specific policy is engineered to detect and thwart any inappropriate utilization of compromised or exposed IAM credentials for the launch and operation of EC2 instances. 

It springs into action within two minutes of the AWS credentials becoming openly accessible on GitHub.

Nevertheless, concerns persist that the keys might be exposed through a method that has yet to be pinpointed.

Remember – First Line of Defence?

The attack sequence uncovered by this cybersecurity firm involves the illicit use of stolen AWS credentials for conducting account reconnaissance operations. 

The threat actors create AWS security groups and initiate multiple EC2 instances across various regions, all while operating from behind a virtual private network (VPN).

These crypto-mining operations are executed in large AWS instances due to their superior processing power, which enables the operators to mine cryptocurrency at an accelerated rate.

The mining software for these cryptojacking activities is sourced from a Google Drive URL, indicating a pattern where malicious actors exploit the trust associated with commonly used applications to evade detection.

Counter Attack

Enterprises facing exposure of AWS IAM credentials are strongly recommended to swiftly deactivate any API connections associated with these keys, eliminate them from the GitHub repository, and carefully monitor the cloning of their GitHub repositories for any potentially dubious activities.

The fact that threat actors can detect and commence extensive mining operations within a mere five minutes of AWS IAM credentials being revealed in a publicly accessible GitHub repository is indeed a matter of serious concern.

Despite the AWS quarantine policies being quite effective, the campaign is still encountering variations in both the quantity and frequency of victim accounts being compromised.