A threat actor is harvesting identity and access management (IAM) credentials from public GitHub repositories within five minutes of exposure, cybersecurity firm Palo Alto Networks warns.
The activity, tracked as EleKtra-Leak, has been ongoing for at least two years, allowing the threat actor to set up multiple AWS Elastic Compute (EC2) instances and use them in cryptojacking campaigns that have been ongoing for at least two years.
As part of the EleKtra-Leak operation, the threat actor has been using automated tools to clone public GitHub repositories and harvest AWS IAM credentials from them, but blocklisting repositories routinely exposing such credentials, to avoid honey traps set up by security researchers.
According to Palo Alto Networks’ Unit 42 research team, the attackers appear to only harvest credentials exposed in plaintext. Furthermore, the exposed keys can be used only if GitHub does not identify them and does not notify AWS, which would automatically quarantine the associated user to prevent abuse.
“Even when GitHub and AWS are coordinated to implement a certain level of protection when AWS keys are leaked, not all cases are covered. We highly recommend that CI/CD security practices, like scanning repos on commit, should be implemented independently,” Palo Alto Networks underlines.
The EleKtra-Leak operation relies on the real-time scanning of GitHub repositories for exposed secrets, and on the creation of multiple EC2 instances per accessible AWS region, for cryptojacking.
Palo Alto Networks said the attackers are performing multiple operations within minutes but successfully keeping their identity obscured, likely by using automated tools behind a VPN. Between August 30 and October 6, the security firm identified 474 unique miners believed to be attacker-controlled EC2 instances.
“Because the actors mined Monero, a type of cryptocurrency that includes privacy controls, we cannot track the wallet to obtain exact figures of how much the threat actors gained,” Palo Alto Networks says.