Cryptojackers steal AWS credentials from GitHub in 5 minutes

Security researchers have uncovered a multi-year cryptojacking campaign they claim autonomously clones GitHub repositories and steals their exposed AWS credentials.

Given the name "EleKtra-Leak" by researchers at Palo Alto Networks's Unit 42, the criminals behind the campaign are credited with regularly stealing AWS credentials within five minutes of them being exposed in GitHub repositories.

Minutes later, multiple Amazon Elastic Compute Cloud (EC2) instances can be launched in as many regions as possible to mine Monero. In the space of just over a month, between August 30 and October 6, the researchers identified 474 different miners being operated by "potentially actor-controlled EC2 instances."

Initial tests showed that GitHub's secret scanning feature largely worked as intended, notifying AWS of an exposed credential in a repository with the cloud provider then issuing a policy to prevent misuse within minutes.

"We believe the threat actor might be able to find exposed AWS keys that aren't automatically detected by AWS and subsequently control these keys outside of the AWSCompromisedKeyQuarantine policy," said William Gamazo and Nathaniel Quist, senior principal researcher and manager of cloud threat intelligence at Unit 42, respectively.

"According to our evidence, they likely did. In that case, the threat actor could proceed with the attack with no policy interfering with their malicious actions to steal resources from the victims.

"Even when GitHub and AWS are coordinated to implement a certain level of protection when AWS keys are leaked, not all cases are covered. We highly recommend that CI/CD security practices, like scanning repos on commit, should be implemented independently."

AWS's quarantine policy is effective at stopping attacks, and the researchers overwrote it in their own repositories so they could gain greater visibility into the campaign by letting it run as the attacker intended.

Unit 42 confirmed to The Register that the credentials found in the research were sourced via GitHub by the attackers, despite the AWS policy being applied rapidly, but attackers also exhibited evidence of using multiple methods to acquire the AWS logins outside the scope of the researchers' investigation.

Current predictions are that they are either retrieving credentials via GitHub but through other means, or finding them exposed on a different platform.

"Despite successful AWS quarantine policies, the campaign maintains continuous fluctuation in the number and frequency of compromised victim accounts," the researchers said.

"Several speculations as to why the campaign is still active include that this campaign is not solely focused on exposed GitHub credentials or Amazon EC2 instance targeting."

Once the credentials are acquired, the criminals – working behind a VPN – perform a reconnaissance operation to understand more about the account itself, such as the regions it has enabled. They then create security groups and launch EC2 instances across as many regions that are enabled for the account.

• Cryptojackers spread their nets to capture more than just EC2
• Japan's Supreme Court rules cryptojacking scripts are not malware
• Bogus cryptocurrency apps steal millions in mere months
• AstraLocker ransomware reportedly closes doors to pursue cryptojacking

"They repeated the same operations across multiple regions, generating a total of more than 400 API calls and taking only seven minutes, according to CloudTrail logging," said the researchers. 

"This indicates that the actor is successfully able to obscure their identity while launching automated attacks against AWS account environments."

The EC2 instances launched were large-format, mostly of type c5a.24xlarge. It's typical of cryptojacking campaigns to use these as it offers attackers greater processing resources for faster results.

Google Drive hosts the malicious mining payload. Using legitimate services is a tactic increasingly adopted by attackers due to the protections they afford. In Google Drive's case, the platform's URLs are anonymous and can't be linked back to a specific Google Account.

It was just one technique that made attributing the attack difficult for the researchers. Another issue was the attackers' goal of mining Monero, a cryptocurrency with built-in privacy protections, again limiting their ability to trace the owner of wallets.

The miner payload is stored as an encrypted file and decrypted after it's downloaded, and researchers said it bears a resemblance to an earlier campaign from 2021.

Intezer previously documented a cryptojacking campaign that used malware with the same hash as the latest example, leading researchers to believe they could be at least connected.

For those looking for ways to mitigate the threat of exposing AWS credentials via GitHub, configuring secret scanning is shown to be a highly effective tool to prevent misuse.

For any AWS credentials that are exposed, the API connections made using them should be immediately revoked, the researchers said. ®