In the ever-evolving landscape of cybersecurity threats, a new ongoing campaign has emerged, known as the Elektra-Leak. This campaign focuses on Amazon Web Services (AWS) Identity and Access Management (IAM) Credentials within public GitHub repos, aiming to exploit these vulnerabilities for cryptojacking activities.
The Modus Operandi
The EleKtra-Leak begins with an automated process that scans public GitHub repositories for exposed IAM credentials, the threat actors then use tools to clone repositories within minutes of detecting these exposed keys, once a repository with exposed IAM credentials has been identified, ElekTra rapidly extracts these credentials, this is a critical moment for the threat actors as they gain access to the keys needed to control AWS resources.
After the threat actors have acquired these keys, they perform reconnaissance on the AWS accounts, this enables them to understand the extent of the resources in their power that they can access and control. From here, the threat actors create AWS security groups which are used to manage inbound and outbound traffic rules for the AWS resources they will launch. Upon successfully setting these rules, the threat actors will proceed to launch multiple AWS Elastic Compute instances (EC2), these instances are then used for cryptojacking activities such as mining the cryptocurrency Monero into their wallets.
This nefarious operation has been active as long as December 2020 and is designed to mine the cryptocurrency Monero. Between Aug 30 and October 6, the threat actor managed to leverage the power of at least 474 unique Amazon Elastic Compute (EC2) instances for their cryptojacking activities. What makes this leak stand out is the automated targeting of AWS IAM credentials within just four minutes of their initial exposure on GitHub. This response time suggests that the threat actors are scanning repositories to capture these exposed keys, additionally, the threat actor has been observed blocklisting AWS accounts that publicize IAM credentials, likely to obstruct further analysis.
Why does this Matter?
This campaign underscores the importance of securing AWS IAM credentials. When these credentials are left exposed, it leaves the door open towards malicious actors who can exploit them for cryptojacking and other types of cyberattacks, the rapid response of EleKtra-Leak launching mining operations within minutes underscores the capability of the threat.
Cryptojacking is a prevalent form of cybercrime, this involves the unauthorized use of computing resources to mine cryptocurrencies. The consequence of this is it enables money laundering, financial losses, reduced system performance, and even reputational damage for the victims.
How to Protect Yourself
In the face of emerging cyber threats such as EleKtra-Leak, safeguarding your digital assets alongside data is paramount. Here are a few steps you could take to protect your organisation:
Regularly rotate IAM credentials:
Ensure that your IAM credentials are rotated frequently. This practice limits the exposure of long-lived keys, reducing that window of opportunity for threat actors.
Implement strong access policies:
Enforce robust access policies within your organization. Restrict IAM permissions to the bare minimum required for each user or application, following the rules of least privilege.
Monitor GitHub Repositories:
Keep an eye on your GitHub repositories. Regularly scan for exposed IAM credentials and other sensitive information. Consider using third-party tools or methodologies for doing this.
Leverage AWS Security features:
Make use of AWS Security features, such as AWSCompromisedKeyQuarantine, to automatically flag and prevent the misuse of compromised IAM credentials.
Educate your team:
Ensure that your development and IT teams are well-informed about the risks and best practices for safeguarding IAM credentials, this could mean conducting awareness programs or even regular training, these methods will go a long way in preventing inadvertent exposure of IAM keys.
Implement MFA:
Implement multi-factor authentication for AWS accounts to add an additional layer of security. Even if the IAM credentials are exposed, MFA can potentially prevent unauthorized access.
Secure your cloud infrastructure:
Beyond IAM, it’s important to ensure your cloud infrastructure is properly secured. Regularly assess and improve the security settings of your AWS resources, including EC2 instances and security groups.
Act swiftly:
In the occurrence of discovering exposed IAM credentials, act immediately. Revoke any API connections that use the compromised keys and remove them from your repository to prevent unauthorized access.
Conclusion
In conclusion, the EleKtra-Leak campaign is a clear reminder of the ever-present cybersecurity threats we’re facing in the digital landscape. As organizations and individuals continue to rely upon cloud services and code-sharing platforms, maintaining vigilance and implementing robust security measures is essential to safeguard valuable data and resources from cryptojacking alongside other malicious activities.
By adopting strong and unique passwords, enabling 2FA and ensuring your GitHub pages are monitored, individuals can create a formidable defence against threats such as EleKtra, maintaining vigilance, keeping software updated, ensuring that you aren’t leaking sensitive information from IAM credentials to sensitive customer data protects you against similar threats.
In the digital age, the battle against cyber threats is a collective effort. Staying well-informed and practising safe online behaviours empower you to face the EleKtra-Leak and similar threats, by spreading awareness we can contribute towards a safer digital landscape for all.
References
[1] EleKtra-Leak Cryptojacking Attacks Exploit AWS IAM Credentials Exposed on GitHub
[2] AWS Compromised Key Quarantine
[3] AWS IAM credentials at risk: EleKtra-Leak operation revealed by Unit 42
[4] CloudKeys in the Air: Tracking Malicious Operations of Exposed IAM Keys
[5] 'Elektra-Leak' Attackers Harvest AWS Cloud Keys in GitHub Campaign