VTA-004469 – EleKtra-Leak Cryptojacking Attacks Exploit AWS IAM Credentials Exposed on GitHub
The EleKtra-Leak campaign has emerged as a significant threat, targeting exposed Amazon Web Service (AWS) identity and access management (IAM) credentials within public GitHub repositories to facilitate cryptojacking activities. This operation, ongoing since at least December 2020, involves mining Monero from a large number of Amazon EC2 instances. What sets this campaign apart is its automated targeting of AWS IAM credentials within just four minutes of their exposure on GitHub, indicating a sophisticated and programmatically driven approach by threat actors. These adversaries have also been observed blocking AWS accounts that publicize IAM credentials to avoid detection. The success of the campaign can be attributed to exploiting weaknesses in GitHub’s secret scanning feature and AWS’s AWSCompromisedKeyQuarantine policy, which is used to flag and prevent the misuse of exposed IAM credentials. The attack chain involves reconnaissance, creating security groups, and launching multiple EC2 instances across various regions, with cryptojacking operations conducted on high-power AWS instances. The mining software used is retrieved from a Google Drive URL, demonstrating a pattern of malicious actors leveraging trusted applications. To counter such attacks, organizations are advised to immediately revoke API connections, remove exposed keys from GitHub repositories, and closely monitor cloning events in repositories for suspicious activities. Despite AWS quarantine policies, the EleKtra-Leak campaign continues to fluctuate in the number and frequency of compromised victim accounts, posing an ongoing challenge for security professionals.
Cloud Service, Cloud Storage
Technical Impact Analysis:
Loss of Accountability, Loss of Confidentiality
Business Impact Analysis:
Financial Damage, Privacy Violation
T1003 – OS Credential Dumping
T1526 – Cloud Service Discovery
T1072 – Software Deployment Tools
T1140 – Deobfuscate/Decode Files or Information
T1496 – Resource Hijacking
T1106 – Native API
T1059 – Command and Scripting Interpreter
T1102 – Web Service
T1530 – Data from Cloud Storage Object
Indicator of Compromise:
SuperPRO’s Threat Countermeasures Procedures:
1. Implement strong password policies and require multi-factor authentication for all users.
2. Regularly monitor AWS accounts for suspicious activity.
3. Use a security information and event management (SIEM) solution to collect and analyze security logs from across the organization.
4. Educate users about cybersecurity best practices, such as how to identify and avoid phishing emails.
Contributed by: Aqilah