EleKtra-Leak Cryptojacking Campaign Targets AWS Credentials on GitHub

A persistent cryptojacking campaign, dubbed EleKtra-Leak, has been exploiting exposed AWS credentials on GitHub since at least 2020.

Cryptocurrency-Pixabay

Security researchers at Palo Alto Networks' Unit 42 have discovered a persistent cryptojacking campaign, they believe, has been active since 2020. Dubbed “EleKtra-Leak,” the campaign targets repositories, stealing Web Services (AWS) credentials within minutes of their exposure. The researchers were able to trace 474 crypto miners, operated by potentially threat actor-controlled EC2 instances, in just over a month's duration from August 30 to October 6, 2023, signifying the widespread and efficient nature of the campaign.

Cryptojacking is when a hacker uses your device to make money with cryptocurrency. Cryptocurrency is a type of digital money that needs a lot of computing power to create. Cryptojacking can affect any device that has a processor, like computers, , or servers. Cryptojacking is hard to notice, but it can make your device slower and use more electricity. Cryptojacking can happen by putting a virus on your device or by running a code on a website that you visit.

Operational Efficiency Despite Protective Measures

GitHub's secret scanning feature, designed to alert AWS of exposed credentials, performed capably during initial tests. Still, the researchers contended that this was not fool-proof, with attackers potentially able to find and control unnoticed exposed AWS keys, rendering AWS's quarantine policy ineffective. Despite GitHub and AWS to implement protection measures, CI/CD security practices should also be independently adopted, the researchers advised. They also pointed out the campaign's resilience to AWS's quarantine policies, with constant variations in the number of compromised victim accounts. The speculation surrounding the campaign's continued activity includes potential efforts towards other platforms or credentials outside GitHub, underlining the multi-faceted threat.

A Strategically Deployed Attack

The assailants, operating behind a virtual private network (VPN), launched their attack on AWS accounts with calculated reconnaissance, assessing the regions enabled for each compromised account before deploying EC2 instances. The API calls resulting from these operations exceed 400, signifying the stealthy and automated nature of the attacks. The Monero-mining EC2 instances launched were mainly large-format, exploiting cloud resources for higher efficiency. Interestingly, the attackers leveraged Drive for hosting the mining payload due to its anonymity and protection measures offered. The attack's masterminds also maximized the privacy features of Monero, making the task of attributing the attack exceedingly challenging for the investigators.