Security News > 2023 > October > Cryptojackers steal AWS credentials from GitHub in 5 minutes
Security researchers have uncovered a multi-year cryptojacking campaign they claim autonomously clones GitHub repositories and steals their exposed AWS credentials.
Given the name "EleKtra-Leak" by researchers at Palo Alto Networks's Unit 42, the criminals behind the campaign are credited with regularly stealing AWS credentials within five minutes of them being exposed in GitHub repositories.
"We believe the threat actor might be able to find exposed AWS keys that aren't automatically detected by AWS and subsequently control these keys outside of the AWSCompromisedKeyQuarantine policy," said William Gamazo and Nathaniel Quist, senior principal researcher and manager of cloud threat intelligence at Unit 42, respectively.
"Even when GitHub and AWS are coordinated to implement a certain level of protection when AWS keys are leaked, not all cases are covered. We highly recommend that CI/CD security practices, like scanning repos on commit, should be implemented independently."
Unit 42 confirmed to The Register that the credentials found in the research were sourced via GitHub by the attackers, despite the AWS policy being applied rapidly, but attackers also exhibited evidence of using multiple methods to acquire the AWS logins outside the scope of the researchers' investigation.
For any AWS credentials that are exposed, the API connections made using them should be immediately revoked, the researchers said.