October 30, 2023 at 07:24AM
The EleKtra-Leak campaign is targeting exposed Amazon Web Service (AWS) identity and access management (IAM) credentials on public GitHub repositories for cryptojacking. The campaign has been active since December 2020 and has employed automated targeting of IAM credentials within four minutes of exposure. The attacker has also been linked to a previous cryptojacking campaign targeting poorly secured Docker services. Mitigation measures include immediately revoking API connections, removing exposed credentials from GitHub, and monitoring cloning events.
Key takeaways from the meeting notes on Oct 30, 2023:
1. A new cryptojacking campaign called EleKtra-Leak targets exposed Amazon Web Service (AWS) identity and access management credentials in public GitHub repositories.
2. The threat actor behind the campaign mines Monero from AWS Elastic Compute instances.
3. The attack involves automated targeting of AWS IAM credentials within four minutes of exposure on GitHub.
4. The attacker has been observed blocklisting AWS accounts that publicize IAM credentials.
5. There is potential linkage with another cryptojacking campaign targeting poorly secured Docker services.
6. GitHub’s secret scanning feature and AWS’ AWSCompromisedKeyQuarantine policy are exploited to prevent the misuse of compromised IAM credentials.
7. Stolen AWS credentials are used for reconnaissance and launching EC2 instances for cryptomining operations.
8. The attackers use c5a.24xlarge AWS instances for higher processing power.
9. The mining software is retrieved from a Google Drive URL.
10. The identified Amazon Machine Images used by the threat actor were private and not listed in the AWS Marketplace.
11. Organizations should revoke API connections, remove exposed keys from GitHub repositories, and monitor repository cloning events for suspicious activity to mitigate such attacks.
12. Despite successful AWS quarantine policies, the campaign continues to compromise victim accounts with fluctuating numbers and frequency.
Please let me know if there’s anything else you’d like to know!