Researchers have identified an ongoing cryptojacking campaign, EleKtra-Leak, that targets exposed Identity and Access Management (IAM) credentials on GitHub repositories. The campaign has been active since December 2020, with as many as 474 unique Amazon EC2 instances found being used to mine Monero cryptocurrency between August 30 and October 6.

Moreover, threat actors use these exposed IAM credentials within five minutes of their discovery on GitHub. Here’s how threat actors are pulling off the act.

Automated tools used for scanning

• According to Unit 42 Palo Alto Networks, threat actors use automated tools to continually clone public GitHub repositories and scan for exposed Amazon Web Services (AWS) IAM credentials. 
• Attackers exploit GitHub’s secret scanning feature and AWSCompromisedKeyQuarantine policy to find exposed AWS credentials.
• The attackers would blacklist AWS accounts that frequently exposed IAM credentials, which is believed to evade scrutiny by security researchers. 

Operation details

• Upon gaining access to AWS credentials, attackers perform an account reconnaissance operation, which is followed by the creation of AWS security groups. 
• The attacks are conducted on c5a.24xlarge AWS instances, which allows operators to mine more cryptocurrency in a shorter period. 
• The attackers make use of VPN to stay under the radar while launching multiple Amazon EC2 instances across various regions. 
• The payloads are delivered via a Google Drive URL, another widely used application, to evade detection.

Conclusion

As the operation remains active, with attackers continuously scanning exposed AWS IAM credentials, organizations are urged to immediately revoke any API keys using the credentials. Additionally, it is recommended to audit the GitHub repository cloning events for any suspicious operations and secure the exposed keys.