Researchers have discovered an active campaign called EleKtra-Leak that targets exposed IAM credentials in public GitHub repositories [3] [4].
Description
The campaign, known as EleKtra-Leak, has been actively targeting exposed Amazon Web Services (AWS) identity and access management (IAM) credentials on public GitHub repositories for at least two years [2]. The threat actor behind the campaign utilizes cloud automation techniques to quickly detect and use the exposed credentials within minutes of their exposure on GitHub. The campaign focuses on carrying out cryptojacking activities and has been successful in creating multiple AWS Elastic Compute Cloud (EC2) instances for these operations. The attackers engage in extensive cryptojacking activities [2], using the hijacked computing power to mine the cryptocurrency Monero [2]. Additionally, the attacker has been observed blocklisting AWS accounts to hinder further analysis [5]. There is evidence to suggest that the attacker may be linked to another cryptojacking campaign targeting poorly secured Docker services [1].
To protect against such attacks, organizations are advised to revoke API connections [1] [5], remove any exposed keys from GitHub [1] [5], and closely monitor cloning events for any suspicious activity [5]. The threat actor can launch a mining operation within five minutes of an IAM credential being exposed on GitHub [1].
Researchers have developed counterstrategies to counter EleKtra-Leak, including the creation of randomized AWS and user accounts with deliberately over-permissive IAM credentials [2]. The report emphasizes the need for organizations to take responsibility for maintaining security in cloud services [2], including proper configurations [2], timely patching [2], diligent maintenance [2], and continuous security monitoring [2].
Conclusion
The EleKtra-Leak campaign poses a significant threat to organizations with exposed IAM credentials on public GitHub repositories. The attackers are sophisticated and rapidly exploit these credentials for cryptojacking activities. To mitigate the risk, organizations must take immediate action to revoke API connections, remove exposed keys [1] [5], and closely monitor cloning events. Additionally, the development of counterstrategies, such as the creation of randomized accounts [2], can help defend against this campaign. It is crucial for organizations to prioritize security in cloud services by implementing proper configurations, timely patching [2], diligent maintenance [2], and continuous security monitoring to prevent future attacks.
References
[1] https://www.redpacketsecurity.com/elektra-leak-cryptojacking-attacks-exploit-aws-iam-credentials-exposed-on-github/
[2] https://siliconangle.com/2023/10/30/aws-iam-credentials-risk-elektra-leak-operation-revealed-unit-42/
[3] https://unit42.paloaltonetworks.com/malicious-operations-of-exposed-iam-keys-cryptojacking
[4] https://www.cybersecurity-review.com/news-october-2023/cloudkeys-in-the-air-tracking-malicious-operations-of-exposed-iam-keys/
[5] https://thehackernews.com/2023/10/elektra-leak-cryptojacking-attacks.html
