October 31, 2023 at 11:51AM
Cybersecurity firm Palo Alto Networks warns that a threat actor, known as EleKtra-Leak, has been harvesting identity and access management (IAM) credentials from public GitHub repositories within five minutes of exposure. The threat actor has been using the credentials for cryptojacking campaigns that have been ongoing for at least two years. Automated tools are used to clone repositories and harvest the credentials, while repositories exposing such credentials are marked as “blocklisted” to avoid detection. The attackers appear to only harvest plaintext credentials that are not identified by GitHub or notified to AWS. Palo Alto Networks recommends implementing CI/CD security practices independently to prevent abuse.
According to meeting notes from Palo Alto Networks, there is an ongoing threat known as EleKtra-Leak, where a threat actor is harvesting identity and access management (IAM) credentials from public GitHub repositories. This activity has been happening for at least two years, allowing the threat actor to set up multiple AWS Elastic Compute (EC2) instances and use them in cryptojacking campaigns. The threat actor uses automated tools to clone public GitHub repositories and extract AWS IAM credentials from them. They also avoid repositories that expose such credentials to security researchers. The attackers only harvest credentials that are exposed in plaintext and can use these keys only if GitHub does not identify them and notify AWS. Palo Alto Networks recommends implementing CI/CD security practices independently. The EleKtra-Leak operation involves scanning GitHub repositories for exposed secrets and creating multiple EC2 instances per accessible AWS region for cryptojacking. The real-time scanning and creation of EC2 instances are performed within minutes, with the threat actor’s identity obscured by automated tools and a VPN. From August 30 to October 6, Palo Alto Networks identified 474 unique miners believed to be attacker-controlled EC2 instances. The threat actors mine Monero, a cryptocurrency with privacy controls, making it difficult to track the exact amount gained.