October 31, 2023 at 10:57AM
Attackers are actively targeting exposed Amazon Web Services (AWS) IAM credentials in public GitHub repositories to create instances for cryptocurrency mining. Palo Alto Networks observed the attacker creating 474 compute-optimized EC2 instances between August 30 and October 6. The attackers are able to launch attacks within minutes of credentials being exposed, despite AWS quarantine policies. Organizations are urged to revoke API connections tied to exposed credentials and generate new ones.
Meeting Notes:
– Attackers are actively harvesting exposed AWS IAM credentials from public GitHub repositories for cryptocurrency mining.
– The campaign, named “Elektra-Leak,” has created at least 474 compute-optimized EC2 instances for mining between Aug. 30 and Oct. 6.
– The threat actor can launch an attack within five minutes of an IAM credential being exposed on GitHub.
– Despite Amazon’s quarantine policies, compromised victim accounts continue to fluctuate in number and frequency.
– The attacker clones public GitHub repositories and scans them for exposed AWS keys using automated tools.
– The adversary scans public GitHub repositories in real-time from behind a VPN and conducts reconnaissance on the associated AWS account.
– The threat actor uses an AWS API to create multiple EC2 instances per region and downloads a payload for Monero cryptomining.
– The use of Monero’s privacy protections makes it difficult to track the amount of cryptocurrency mined.
– The threat actor can still access exposed keys despite AWS quarantining them, suggesting they can find keys that AWS misses.
– The campaign underscores a failure by organizations to implement basic security practices.
– Organizations are advised to revoke API connections, remove exposed credentials, and generate new ones. Short-lived credentials are recommended for dynamic functionality in production environments.
Please let me know if you need any further information or clarification.