GitHub IAM Private Creds Are Being Cryptojacked by EleKtra-Leak

Palo Alto Networks Unit 42 security research team has found a staggering 83% of organizations have hard-coded credentials in their production code repositories.

Do you think that that’s not so bad since who will get into your code repositories? Well, bad news, bunkie, lots of people can get into your “private” repositories. Unit 42 researchers have uncovered an ongoing malicious campaign named “EleKtra-Leak” that steals your identity and access management (IAM) credentials directly from the private repository.

This campaign works by automating the process of targeting identity and access management (IAM) credentials that have been inadvertently made public on GitHub repositories. How efficient is this campaign? Very. Within a mere five minutes of exposure on GitHub, the threat actors are able to detect and exploit these IAM credentials.

EleKtra-Leak works by cloning public GitHub code repositories continuously. Then, in the privacy of their own instance, it scans for exposed AWS IAM credentials. Then, armed with the credentials, the cyber crooks behind this campaign successfully orchestrated the creation of numerous AWS Elastic Compute (EC2) instances.

To counteract and track these activities, Unit 42 created and exposed randomized Amazon Web Services and user accounts with specific IAM credentials to a public GitHub repository.

Amusingly enough, the threat actors have been blocking AWS accounts that habitually expose IAM credentials. Why? Perhaps to avoid detection. If so, it worked.

This attack has been going on for some time now. These instances have been harnessed for expansive and persistent cryptojacking operations over the past two years. And, of course, the campaign remains active to this day.

After all, it’s profitable. From Aug. 30 to Oct. 6, 2023, Unit 42 found 474 unique miners that were potentially actor-controlled Amazon EC2 instances. They were using these instances to mine Monero. How much money have they made? We don’t know. It’s impossible to track Monero’s wallets. But, I think we can safely say it’s a lot — and the companies whose IAMs have been duped lost even more.

So, what can you do to protect yourself? Well, let’s start with the obvious. Don’t use hard-coded credentials. Instead, as Unit 42 says, “We highly recommend that organizations use short-lived credentials to perform any dynamic functionality within a production environment.”


Of course, Unit 42 also recommends Prisma Cloud security services. But, they also have some other lower-price suggests

These include using the AWS-managed policy, AWSCompromisedKeyQuarantineV2. With this, AWS can automatically quarantine exposed IAM credentials This denies access to critical AWS services such as EC2, Lambda, and S3.

The security researchers also suggest using the GitHub Enterprise feature for auditing clone events. With this, you can spot potentially malicious operations targeting your GitHub repositories

In conclusion, Unit 42 emphasizes the significance of the Cloud Shared Responsibility Model. Users and organizations must be vigilant, ensuring the security and maintenance of their cloud resources. The call to action is clear: Build responsibly.

And, for pity’s sake, stop using hard-coded credentials.

GroupCreated with Sketch.