A new report from Palo Alto Networks Inc.’s Unit 42 warns of a new active campaign targeting exposed Amazon Web Services Inc. identity and access management credentials within public GitHub repositories.

Dubbed “EleKtra-Leak,” the campaign is described as both sophisticated and concerning, the latter because of the widespread use of AWS services across the globe. EleKtra-Leak leverages automated tools that allow threat actors to clone public GitHub code repositories continuously, scanning for exposed AWS IAM credentials. Once those credentials are detected, they’re exploited to create multiple AWS Elastic Compute Cloud or EC2 instances.

Once attackers have established new EC2 instances, they use them for extensive cryptojacking operations, where computing power is hijacked to mine cryptocurrencies. Those behind the attacks chose Monero for their operations, a cryptocurrency renowned for its privacy features and a long-favored choice among the cybercriminal community. While monitoring the cryptojacking pool used in the EleKtra-Leak operation from Aug. 30 to Oct. 6, the Unit 42 researchers found 474 unique miners that were potentially actor-controlled Amazon EC2 instances.

The rapid nature of which the EleKtra-Leak campaign operates is also highlighted in the research. The researchers observed that, in some cases, the threat actors could exploit exposed IAM credentials within mere minutes of their appearance on GitHub, underscoring the level of automation and sophistication involved in the campaign.

In one interesting twist, the threat actors behind EleKtra-Leak were found to blacklist AWS accounts that habitually expose IAM credentials. The tactic is believed to be a protective measure, likely aimed at evading honey traps set up by security researchers. The report notes that by sidestepping these potential pitfalls, the threat actors demonstrate a keen awareness of the cybersecurity landscape and the countermeasures researchers might deploy.

To counter the challenges posed by EleKtra-Leak, Unit 42 researchers devised counterstrategies, including automating the creation of randomized AWS and user accounts equipped with deliberately over-permissive IAM credentials. The approach was designed to study the threat actors’ behaviors and gather more insights into the campaign.

Although the EleKtra-Leak may be new, cybercriminals targeting exposed credentials isn’t, so it comes as no surprise that the report highlights the need for responsibility. As cloud services become more integrated into our digital infrastructure, users and organizations must recognize their roles in maintaining security.

The report emphasizes that it’s up to organizations to ensure proper configurations, timely patching, diligent maintenance and continuous security monitoring. Proactive defense and informed vigilance are crucial to combating cyber threats such as EleKtra-Leak.

Photo: AWS