VTA-004469 – EleKtra-Leak Cryptojacking Attacks Exploit AWS IAM Credentials Exposed on GitHub

The EleKtra-Leak campaign has emerged as a significant threat, targeting exposed Amazon Web Service (AWS) identity and access management (IAM) credentials within public GitHub repositories to facilitate cryptojacking activities. This operation, ongoing since at least December 2020, involves mining Monero from a large number of Amazon EC2 instances. What sets this campaign apart is its automated targeting of AWS IAM credentials within just four minutes of their exposure on GitHub, indicating a sophisticated and programmatically driven approach by threat actors. These adversaries have also been observed blocking AWS accounts that publicize IAM credentials to avoid detection. The success of the campaign can be attributed to exploiting weaknesses in GitHub’s secret scanning feature and AWS’s AWSCompromisedKeyQuarantine policy, which is used to flag and prevent the misuse of exposed IAM credentials. The attack chain involves reconnaissance, creating security groups, and launching multiple EC2 instances across various regions, with cryptojacking operations conducted on high-power AWS instances. The mining software used is retrieved from a Google Drive URL, demonstrating a pattern of malicious actors leveraging trusted applications. To counter such attacks, organizations are advised to immediately revoke API connections, remove exposed keys from GitHub repositories, and closely monitor cloning events in repositories for suspicious activities. Despite AWS quarantine policies, the EleKtra-Leak campaign continues to fluctuate in the number and frequency of compromised victim accounts, posing an ongoing challenge for security professionals.

Severity:
Medium

Attack Surfaces:
Cloud Service, Cloud Storage

Technical Impact Analysis:
Loss of Accountability, Loss of Confidentiality

Business Impact Analysis:
Financial Damage, Privacy Violation

Technique:
T1003 – OS Credential Dumping
T1526 – Cloud Service Discovery
T1072 – Software Deployment Tools
T1140 – Deobfuscate/Decode Files or Information
T1496 – Resource Hijacking
T1106 – Native API
T1059 – Command and Scripting Interpreter
T1102 – Web Service
T1530 – Data from Cloud Storage Object

Indicator of Compromise:
https://otx.alienvault.com/pulse/65400493f4507261d44f32cf

References:
https://unit42.paloaltonetworks.com/malicious-operations-of-exposed-iam-keys-cryptojacking/

SuperPRO’s Threat Countermeasures Procedures: 
1. Implement strong password policies and require multi-factor authentication for all users.
2. Regularly monitor AWS accounts for suspicious activity.
3. Use a security information and event management (SIEM) solution to collect and analyze security logs from across the organization.
4. Educate users about cybersecurity best practices, such as how to identify and avoid phishing emails.

Contributed by: Aqilah