Carding 4 Carders
Professional
IAM keys open any doors to hackers, and even a quarantine policy doesn't help.
Palo Alto Networks experts from the Unit 42 discovered and are actively monitoring the progress of a new malicious campaign called EleKtra-Leak, aimed at using openly hosted Amazon Web Services (AWS) credentials in public GitHub repositories to conduct cryptocurrency attacks.
Since December 2020, cybercriminals in this campaign have created 474 unique instances of AWS Elastic Compute (EC2) for mining the Monero cryptocurrency, activity is recorded from August 30 to October 6, 2023.
The unique feature of the attacks is that attackers manage to scan GitHub for AWS IAM keys in just four minutes after they are published. And after 5 minutes, they are able to set up the process of malicious cryptomining on AWS facilities. This speed indicates that hackers are using automated software methods to monitor repositories and intercept data.
The similarity with another cryptojacking campaign identified by Intezer specialists in January 2021 led to the assumption of a link between the attacks. Both of them used the same mining software and targeted weakly protected Docker services.
It is noteworthy that attackers use the blind spots of the GitHub secret scanning feature and the AWS "AWSCompromisedKeyQuarantine" policy to abuse compromised IAM keys and launch EC2 instances.
Despite the fact that the AWS quarantine policy is applied within two minutes after data is published on GitHub, it is suspected that the keys are leaked by an unknown method that circumvents this policy.
Attackers steal AWS data to conduct account intelligence, create AWS security groups, and run multiple EC2 instances over a VPN. Malicious cryptomining operations themselves are performed on powerful instances like c5a. 24xlarge, which allows you to mine more cryptocurrencies in the shortest possible time.
Mining software, according to the researchers, is downloaded from a URL in Google Drive, which indicates a tendency for attackers to use trust in known applications to hide their actions.
To prevent such incidents, we recommend immediately revoking API keys when they are leaked, deleting them from the GitHub repository, and auditing repository cloning events for suspicious activity.
Palo Alto Networks experts from the Unit 42 discovered and are actively monitoring the progress of a new malicious campaign called EleKtra-Leak, aimed at using openly hosted Amazon Web Services (AWS) credentials in public GitHub repositories to conduct cryptocurrency attacks.
Since December 2020, cybercriminals in this campaign have created 474 unique instances of AWS Elastic Compute (EC2) for mining the Monero cryptocurrency, activity is recorded from August 30 to October 6, 2023.
The unique feature of the attacks is that attackers manage to scan GitHub for AWS IAM keys in just four minutes after they are published. And after 5 minutes, they are able to set up the process of malicious cryptomining on AWS facilities. This speed indicates that hackers are using automated software methods to monitor repositories and intercept data.
The similarity with another cryptojacking campaign identified by Intezer specialists in January 2021 led to the assumption of a link between the attacks. Both of them used the same mining software and targeted weakly protected Docker services.
It is noteworthy that attackers use the blind spots of the GitHub secret scanning feature and the AWS "AWSCompromisedKeyQuarantine" policy to abuse compromised IAM keys and launch EC2 instances.
Despite the fact that the AWS quarantine policy is applied within two minutes after data is published on GitHub, it is suspected that the keys are leaked by an unknown method that circumvents this policy.
Attackers steal AWS data to conduct account intelligence, create AWS security groups, and run multiple EC2 instances over a VPN. Malicious cryptomining operations themselves are performed on powerful instances like c5a. 24xlarge, which allows you to mine more cryptocurrencies in the shortest possible time.
Mining software, according to the researchers, is downloaded from a URL in Google Drive, which indicates a tendency for attackers to use trust in known applications to hide their actions.
To prevent such incidents, we recommend immediately revoking API keys when they are leaked, deleting them from the GitHub repository, and auditing repository cloning events for suspicious activity.
