HQ/EMEAFind out how we can help your business
The newly discovered EleKtra-Leak cryptojacking campaign has been actively targeting publicly exposed Amazon Web Service (AWS) Identity and Access Management (IAM) credentials in GitHub repositories.
Based on reports, this operation aims to facilitate cryptojacking attacks by generating AWS Elastic Compute instances for mining Monero. This operation has been active since at least December 2020. The attackers successfully mined Monero from over 470 unique Amazon EC2 instances between August 30 and October 6, 2023.
Researchers explained that the threat actors swiftly target AWS IAM credentials within four minutes of their exposure on GitHub. This detail implies they use automated tools to duplicate and harvest the exposed keys.
Furthermore, the attackers have been blocking AWS accounts that publicise IAM credentials to avoid analysis. Evidence links these attackers to a previous cryptojacking campaign in January 2021, which focused on poorly secured Docker services and used the same custom mining software.
The EleKtra-Leak cryptojacking operators exploit GitHub flaws to make their campaigns more efficient.
The EleKtra-Leak cryptojacking campaign has been efficient since it continues to exploit vulnerabilities in GitHub’s secret scanning feature and AWS’ AWSCompromisedKeyQuarantine policy. These features could detect and prevent the misuse of compromised or exposed IAM credentials for launching EC2 instances.
Unfortunately, the threat actors could acquire the exposed keys through an unidentified method despite the quarantine policy of GitHub and AWS deploys immediately.
The researchers also suspect that the attackers may locate exposed AWS keys not automatically detected by AWS, allowing them to control it outside the AWSCompromisedKeyQuarantine policy.
This new attack chain includes the stolen AWS credentials for account reconnaissance, creating AWS security groups, and launching multiple EC2 instances across various regions through a virtual private network (VPN). Furthermore, these threat actors conduct this cryptojacking operation on powerful c5a.24xlarge AWS instances to maximise cryptocurrency mining efficiency.
The mining software used in these attacks is obtained from a Google Drive URL, indicating that the malicious actors leverage the trust associated with widely used applications to bypass detection.
Organisations should immediately revoke API connections using exposed AWS IAM credentials, remove them from GitHub repositories, and closely monitor GitHub repository cloning events for any suspicious activity to mitigate such cryptojacking attacks.
