Security researchers at Palo Alto Networks' Unit 42 have discovered a persistent cryptojacking campaign, they believe, has been active since 2020. Dubbed “EleKtra-Leak,” the campaign targets GitHub repositories, stealing Amazon Web Services (AWS) credentials within minutes of their exposure. The researchers were able to trace 474 crypto miners, operated by potentially threat actor-controlled EC2 instances, in just over a month's duration from August 30 to October 6, 2023, signifying the widespread and efficient nature of the campaign.
Cryptojacking is when a hacker uses your device to make money with cryptocurrency. Cryptocurrency is a type of digital money that needs a lot of computing power to create. Cryptojacking can affect any device that has a processor, like computers, phones, or servers. Cryptojacking is hard to notice, but it can make your device slower and use more electricity. Cryptojacking can happen by putting a virus on your device or by running a code on a website that you visit.
Operational Efficiency Despite Protective Measures
GitHub's secret scanning feature, designed to alert AWS of exposed credentials, performed capably during initial tests. Still, the researchers contended that this was not fool-proof, with attackers potentially able to find and control unnoticed exposed AWS keys, rendering AWS's quarantine policy ineffective. Despite GitHub and AWS collaboration to implement protection measures, CI/CD security practices should also be independently adopted, the researchers advised. They also pointed out the campaign's resilience to AWS's quarantine policies, with constant variations in the number of compromised victim accounts. The speculation surrounding the campaign's continued activity includes potential efforts towards other platforms or credentials outside GitHub, underlining the multi-faceted threat.
A Strategically Deployed Attack
The assailants, operating behind a virtual private network (VPN), launched their attack on AWS accounts with calculated reconnaissance, assessing the regions enabled for each compromised account before deploying EC2 instances. The API calls resulting from these operations exceed 400, signifying the stealthy and automated nature of the attacks. The Monero-mining EC2 instances launched were mainly large-format, exploiting cloud resources for higher efficiency. Interestingly, the attackers leveraged Google Drive for hosting the mining payload due to its anonymity and protection measures offered. The attack's masterminds also maximized the privacy features of Monero, making the task of attributing the attack exceedingly challenging for the investigators.
