October 30, 2023 at 02:36PM
Security researchers have discovered a long-running cryptojacking campaign called “EleKtra-Leak” that clones GitHub repositories and steals exposed AWS credentials. The criminals behind the campaign are able to steal AWS credentials within minutes of them being exposed. They launch multiple Amazon EC2 instances to mine Monero. The researchers identified 474 miners operated by potentially controlled EC2 instances. The threat actors can find exposed AWS keys that may not be automatically detected by AWS. The researchers recommend implementing CI/CD security practices to enhance protection. The campaign exhibits continuous fluctuation in the number of compromised victim accounts and may not solely focus on exposed GitHub credentials or EC2 instances. The attackers utilize large-format EC2 instances and host the malicious mining payload on Google Drive for anonymity. Mitigation measures include configuring secret scanning and immediate revocation of exposed AWS credentials.
Meeting Takeaways:
1. Security researchers have discovered a cryptojacking campaign named “EleKtra-Leak” that clones GitHub repositories and steals exposed AWS credentials.
2. The criminals behind the campaign are able to steal AWS credentials within five minutes of their exposure on GitHub repositories.
3. The stolen credentials are quickly used to launch multiple Amazon EC2 instances in various regions to mine Monero.
4. GitHub’s secret scanning feature notifies AWS of exposed credentials, and AWS issues a policy to prevent misuse. However, not all exposed AWS keys are automatically detected.
5. It is recommended to implement CI/CD security practices, such as scanning repositories on commit, independently to enhance protection against such attacks.
6. The researchers suggest that the attackers may be acquiring credentials from GitHub through other means or finding them exposed on a different platform.
7. Once the credentials are acquired, the attackers perform reconnaissance operations and launch EC2 instances across multiple regions, hiding their identity during automated attacks.
8. The attackers use large-format EC2 instances, mainly of type c5a.24xlarge, to leverage greater processing resources for faster results in the cryptojacking campaign.
9. The malicious mining payload is hosted on Google Drive, which attackers use for its anonymity and protection.
10. Attributing the attack is challenging due to the attackers’ use of Monero cryptocurrency, built-in privacy protections, and encryption of the miner payload.
11. The researchers suspect a connection between the EleKtra-Leak campaign and a previous cryptojacking campaign documented by Intezer in 2021.
12. To mitigate the risk of exposing AWS credentials on GitHub, configuring secret scanning and revoking API connections using exposed credentials are crucial steps.