SECURITYWEEK NETWORK:

ICS:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

IAM Credentials in Public GitHub Repositories Harvested in Minutes

A threat actor is reportedly harvesting IAM credentials from public GitHub repositories within five minutes of exposure.
Credential Harvesting in GitHub Repositories

A threat actor is harvesting identity and access management (IAM) credentials from public GitHub repositories within five minutes of exposure, cybersecurity firm Palo Alto Networks warns.

The activity, tracked as EleKtra-Leak, has been ongoing for at least two years, allowing the threat actor to set up multiple AWS Elastic Compute (EC2) instances and use them in cryptojacking campaigns that have been ongoing for at least two years.

As part of the EleKtra-Leak operation, the threat actor has been using automated tools to clone public GitHub repositories and harvest AWS IAM credentials from them, but blocklisting repositories routinely exposing such credentials, to avoid honey traps set up by security researchers.

According to Palo Alto Networks’ Unit 42 research team, the attackers appear to only harvest credentials exposed in plaintext. Furthermore, the exposed keys can be used only if GitHub does not identify them and does not notify AWS, which would automatically quarantine the associated user to prevent abuse.

“Even when GitHub and AWS are coordinated to implement a certain level of protection when AWS keys are leaked, not all cases are covered. We highly recommend that CI/CD security practices, like scanning repos on commit, should be implemented independently,” Palo Alto Networks underlines.

The EleKtra-Leak operation relies on the real-time scanning of GitHub repositories for exposed secrets, and on the creation of multiple EC2 instances per accessible AWS region, for cryptojacking.

Palo Alto Networks said the attackers are performing multiple operations within minutes but successfully keeping their identity obscured, likely by using automated tools behind a VPN. Between August 30 and October 6, the security firm identified 474 unique miners believed to be attacker-controlled EC2 instances.

“Because the actors mined Monero, a type of cryptocurrency that includes privacy controls, we cannot track the wallet to obtain exact figures of how much the threat actors gained,” Palo Alto Networks says.

Advertisement. Scroll to continue reading.

Related: AWS Using MadPot Decoy System to Disrupt APTs, Botnets

Related: Stolen GitHub Credentials Used to Push Fake Dependabot Commits

Related: GitHub Enterprise Server Gets New Security Capabilities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

More from

Latest News

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Virtual Event: Cyber AI & Automation Summit
Wednesday, December 6, 2023

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.

Register

Virtual Event: Cyber Insurance & Liability Summit
Wednesday, January 17, 2024

As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.

Register

Expert Insights

Related Content

Source Code Security Firm Cycode Launches With $4.6 Million in Funding

Application Security

Source Code Security Firm Cycode Launches With $4.6 Million in Funding

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

September 24, 2019
Zero Trust and Identity and Access Management Zero Trust and Identity and Access Management

Identity & Access

Cyber Insights 2023 | Zero Trust and Identity and Access Management

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

February 6, 2023
Cloud CISOS Cloud CISOS

CISO Conversations

CISO Conversations: CISOs in Cloud-based Services Discuss the Process of Leadership

SecurityWeek talks to Billy Spears, CISO at Teradata (a multi-cloud analytics provider), and Lea Kissner, CISO at cloud security firm Lacework.

August 15, 2023
Exchange vulnerabilities disclosed by ZDI Exchange vulnerabilities disclosed by ZDI

Cloud Security

Microsoft Cloud Hack Exposed More Than Exchange, Outlook Emails

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to Outlook.com and Exchange Online.

July 21, 2023
Thoma Bravo Merges ForgeRock with Ping Identity

Funding/M&A

Thoma Bravo Merges ForgeRock with Ping Identity

The private equity firm merges the newly acquired ForgeRock with Ping Identity, combining two of the biggest names in enterprise IAM market.

August 23, 2023
DMARC Implemented on Half of U.S. Government Domains

Compliance

DMARC Implemented on Half of U.S. Government Domains

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

January 3, 2018
ZTNA Zero Trust ZTNA Zero Trust

Identity & Access

Password Dependency: How to Break the Cycle

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

January 25, 2023
DMARC Adoption Low in Fortune 500, FTSE 100 Companies

Email Security

DMARC Adoption Low in Fortune 500, FTSE 100 Companies

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

August 23, 2017