SECURITYWEEK NETWORK:

ICS:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

IAM Credentials in Public GitHub Repositories Harvested in Minutes

A threat actor is reportedly harvesting IAM credentials from public GitHub repositories within five minutes of exposure.
AI vulnerabilities

A threat actor is harvesting identity and access management (IAM) credentials from public GitHub repositories within five minutes of exposure, cybersecurity firm Palo Alto Networks warns.

The activity, tracked as EleKtra-Leak, has been ongoing for at least two years, allowing the threat actor to set up multiple AWS Elastic Compute (EC2) instances and use them in cryptojacking campaigns that have been ongoing for at least two years.

As part of the EleKtra-Leak operation, the threat actor has been using automated tools to clone public GitHub repositories and harvest AWS IAM credentials from them, but blocklisting repositories routinely exposing such credentials, to avoid honey traps set up by security researchers.

According to Palo Alto Networks’ Unit 42 research team, the attackers appear to only harvest credentials exposed in plaintext. Furthermore, the exposed keys can be used only if GitHub does not identify them and does not notify AWS, which would automatically quarantine the associated user to prevent abuse.

“Even when GitHub and AWS are coordinated to implement a certain level of protection when AWS keys are leaked, not all cases are covered. We highly recommend that CI/CD security practices, like scanning repos on commit, should be implemented independently,” Palo Alto Networks underlines.

The EleKtra-Leak operation relies on the real-time scanning of GitHub repositories for exposed secrets, and on the creation of multiple EC2 instances per accessible AWS region, for cryptojacking.

Palo Alto Networks said the attackers are performing multiple operations within minutes but successfully keeping their identity obscured, likely by using automated tools behind a VPN. Between August 30 and October 6, the security firm identified 474 unique miners believed to be attacker-controlled EC2 instances.

“Because the actors mined Monero, a type of cryptocurrency that includes privacy controls, we cannot track the wallet to obtain exact figures of how much the threat actors gained,” Palo Alto Networks says.

Advertisement. Scroll to continue reading.

Related: AWS Using MadPot Decoy System to Disrupt APTs, Botnets

Related: Stolen GitHub Credentials Used to Push Fake Dependabot Commits

Related: GitHub Enterprise Server Gets New Security Capabilities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

More from

Latest News

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

CIEM Chat: How to Reduce Cloud Identity Risk
March 26, 2024

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

Virtual Event: Ransomware Resilience & Recovery Summit
April 17, 2024

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Mike Dube has joined cloud security company Aqua Security as CRO.

Cody Barrow has been appointed as CEO of threat intelligence company EclecticIQ.

Shay Mowlem has been named CMO of runtime and application security company Contrast Security.

More People On The Move

Expert Insights

Related Content

Source Code Security Firm Cycode Launches With $4.6 Million in Funding

Application Security

Source Code Security Firm Cycode Launches With $4.6 Million in Funding

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

September 24, 2019
Zero Trust and Identity and Access Management Zero Trust and Identity and Access Management

Identity & Access

Cyber Insights 2023 | Zero Trust and Identity and Access Management

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

February 6, 2023
Cloud Security Cloud Security

CISO Conversations

CISO Conversations: CISOs in Cloud-based Services Discuss the Process of Leadership

SecurityWeek talks to Billy Spears, CISO at Teradata (a multi-cloud analytics provider), and Lea Kissner, CISO at cloud security firm Lacework.

August 15, 2023
Microsoft AI Microsoft AI

Cloud Security

Microsoft Cloud Hack Exposed More Than Exchange, Outlook Emails

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to Outlook.com and Exchange Online.

July 21, 2023
Okta hack Okta hack

CISO Strategy

Okta Hack Blamed on Employee Using Personal Google Account on Company Laptop

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

November 3, 2023
DMARC Implemented on Half of U.S. Government Domains

Compliance

DMARC Implemented on Half of U.S. Government Domains

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

January 3, 2018
DMARC Adoption Low in Fortune 500, FTSE 100 Companies

Email Security

DMARC Adoption Low in Fortune 500, FTSE 100 Companies

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

August 23, 2017
Thoma Bravo Merges ForgeRock with Ping Identity

Funding/M&A

Thoma Bravo Merges ForgeRock with Ping Identity

The private equity firm merges the newly acquired ForgeRock with Ping Identity, combining two of the biggest names in enterprise IAM market.

August 23, 2023