"EleKtra-Leak" Campaign Scoops Up Leaked IAM Credentials for a Rapid Cryptojacking Attack
Category: Cloud Security | Industry: Global | Source: Unit 42
A cloudkey theft campaign exploiting exposed identify and access management (IAM) credentials are revealed by researchers from Unit 42. The campaign tracked as "EleKtra-Leak" is reported to have spanned approximately two and a half years dating back to December 2020 and it remains active. Unit 42's investigation identified the threat actor's objective is to "create multiple AWS Elastic Compute (EC2) instances that they used for wide-ranging and long-lasting cryptojacking operations." The researchers found that threat actors quickly leverage credentials at risk on GitHub, often within five minutes of detection. Notably, encoded credentials are not currently within the threat actor's scope, suggesting the threat actor is "not using tools capable of decoding Base64-encoded credentials at this time."
Insights into the threat actor's operations came to light through Unit 42's Prisma Cloud HoneyCloud project. Initially, AWS applied a quarantine policy to the account when credentials were identified on GitHub. Importantly, this quarantine was not a result of a deliberate attack. The attackers swiftly initiated various API calls oriented around discovery, delving into Virtual Private Clouds (VPCs), security groups, regions, instances, and IAM identities just four minutes after the quarantine policy came into effect—an indication of automated attacks. Subsequent API calls led to the creation of a security group and instances being launched. Unit 42 discovered that "the actor’s automation operation is behind a VPN. They repeated the same operations across multiple regions, generating a total of more than 400 API calls and taking only seven minutes, according to CloudTrail logging." To further their cryptomining goals, the attackers established multiple large instances utilizing Amazon Machine Images (AMIs) running on Ubuntu version 18, not available in the AWS Marketplace.
Between August 30th and October 6th, 2023, Unit 42 identified "474 unique miners that were potentially actor-controlled Amazon EC2 instances." However, due to privacy controls in Monero cryptocurrency, the exact amount generated by the threat actors couldn't be fully traced. Additionally, the use of VPNs and Google Drive for payload storage made it challenging to pinpoint the geographic location of the attackers. The campaign's attack vectors extend beyond exposed credentials on GitHub, with Unit 42 identifying additional mining instances that appear to be potential victims of this campaign, yet to be documented. Unit 42 warns that organizations need to continue to harden and adhere to secure practices when operating in the cloud as "83% of organizations expose hard-coded credentials within the production code repositories."