Exposed AWS credentials stolen within minutes by Github hackers
GitHub has a unique security feature: it scans the code for exposed Amazon Web Services (AWS) keys, among other things, and if it finds them, it reports them to AWS, which can act to prevent misuse – all in minutes.
However, it does not work with 100% accuracy and sometimes keys remain visible for a little longer. Some hackers managed to take advantage of that opportunity by taking the keys and creating Amazon Elastic Compute Cloud (EC2) instances.
They would later use these instances to mine the cryptocurrency Monero.
Mining Monero
The findings were published by Unit 42, the cybersecurity division of Palo Alto Networks, whose researchers dubbed the cryptojacking campaign “EleKtra-Leak” and claim it took hackers just five minutes to obtain the exposed keys.
In about a week, the attackers managed to generate at least 474 different miners, the researchers added.
“We believe the threat actors could potentially find exposed AWS keys that are not automatically detected by AWS and then control these keys outside of the AWSCompromisedKeyQuarantine policy,” said William Gamazo and Nathaniel Quist, senior principal investigator and manager of cloud threat intelligence. at unit 42.
“According to our evidence, that probably happened. In that case, the threat actors could proceed with the attack without any policies hindering their malicious actions to steal resources from the victims.
“Even if GitHub and AWS coordinate to implement some level of protection when AWS keys are leaked, not all cases will be covered. We strongly recommend that CI/CD security practices, such as repository scanning at commit, be implemented independently.”
After grabbing the keys, the crooks analyzed the account, looking for enabled regions. Then they create security groups and launch as many EC2 instances as possible.
Monero is described as a ‘private’ cryptocurrency, which is almost impossible to track. That’s why it’s one of the most popular choices among cybercriminals, especially those involved in ransomware and cryptojacking. Now that most people understand how Bitcoin’s transparent ledger works, it’s not as popular among criminals (although it still ranks quite highly).
Through The register