Security News > 2023 > November > EleKtra-Leak Campaign Uses AWS Cloud Keys Found on Public GitHub Repositories to Run Cryptomining Operation

In the active Elektra-Leak campaign, attackers hunt for Amazon IAM credentials within public GitHub repositories before using them for cryptomining.

New research from Palo Alto Networks's Unit 42 exposes an active attack campaign in which a threat actor hunts for Amazon IAM credentials in real time in GitHub repositories and starts using them less than five minutes later.

That honeypot testing revealed that leaked AWS keys that were encoded in base64 and stored on GitHub were not found or used by threat actors, who only fetched clear text AWS keys hidden behind a past commit in a random file.

During their investigation, Gamazo and Quist noticed the secrets they were intentionally storing on GitHub as honeypot data for their research were indeed successfully detected by GitHub and reported to Amazon, who in turn automatically applied within minutes a quarantine policy that prevents attackers from performing operations such as accessing AWS IAM, EC2, S3, Lambda and Lightsail.

They also state that "Even when GitHub and AWS are coordinated to implement a certain level of protection when AWS keys are leaked, not all cases are covered," and that other potential victims of this threat actor might have been targeted in a different manner.

If there is no need to share the organization's repositories publicly, private GitHub repositories should be used and only accessed by the organization's personnel.

News URL

https://www.techrepublic.com/article/elektra-leak-aws-cloud-keys-crytomining/