A new ongoing campaign dubbed EleKtra-Leak has set its eyes on exposed Amazon Web Service (AWS) identity and access management (IAM) credentials within public GitHub repositories to facilitate cryptojacking activities.
"As a result of this, the threat actor associated with the campaign was able to create multiple AWS Elastic Compute (EC2) instances that they used for wide-ranging and long-lasting cryptojacking operations," Palo Alto Networks Unit 42 researchers William Gamazo and Nathaniel Quist said in a technical report shared with The Hacker News.
The operation, active since at least December 2020, is designed to mine Monero from as many as 474 unique Amazon EC2 instances between August 30 and October 6, 2023.
A standout aspect of the attacks is the automated targeting of AWS IAM credentials within four minutes of their initial exposure on GitHub, indicating that threat actors are programmatically cloning and scanning the repositories to capture the exposed keys.
The adversary has also been observed blocklisting AWS accounts that publicize IAM credentials in what's likely seen as an effort to prevent further analysis.
There is evidence to suggest that the attacker may also have been linked to another cryptojacking campaign disclosed by Intezer in January 2021 aimed at poorly secured Docker services using the same bespoke mining software.
Part of the campaign's success lies in the exploitation of blindspots in GitHub's secret scanning feature and AWS' AWSCompromisedKeyQuarantine policy – which are used for flagging and preventing the misuse of compromised or exposed IAM credentials – in order to run or start EC2 instances.
While the quarantine policy is applied within two minutes of the AWS credentials being publicly accessible on GitHub, it's being suspected that the keys are being exposed through an as-yet-undetermined method.
Unit 42 said that the "threat actor might be able to find exposed AWS keys that aren't automatically detected by AWS and subsequently control these keys outside of the AWSCompromisedKeyQuarantine policy."
In the attack chains discovered by the cybersecurity company, the stolen AWS credentials are used to perform an account reconnaissance operation, followed by creating AWS security groups and launching multiple EC2 instances across various regions from behind a virtual private network (VPN).
The cryptomining operations are conducted on c5a.24xlarge AWS instances owing to their higher processing power, allowing its operators to mine more cryptocurrency in a shorter period of time.
The mining software used to carry out cryptojacking is fetched from a Google Drive URL, highlighting a pattern of malicious actors leveraging the trust associated with widely used applications to fly under the radar.
"The type of Amazon Machine Images (AMI) the threat actor used was also distinctive," the researchers said. "The identified images were private and they were not listed in the AWS Marketplace."
To mitigate such attacks, organizations that accidentally expose AWS IAM credentials are recommended to immediately revoke any API connections using the keys, remove them from the GitHub repository, and audit GitHub repository cloning events for any suspicious operations.
"The threat actor can detect and launch a full-scale mining operation within five minutes from the time of an AWS IAM credential being exposed in a public GitHub repository," the researchers said. "Despite successful AWS quarantine policies, the campaign maintains continuous fluctuation in the number and frequency of compromised victim accounts."
