GitHub-stored AWS credentials targeted by new cryptojacking campaign

Publicly exposed GitHub repositories have been cloned by threat actors looking to exfiltrate Amazon Web Services credentials as part of the EleKtra-Leak cryptojacking operation that commenced in 2020, reports The Register. Stolen AWS credentials are then leveraged to deploy monero-mining Amazon Elastic Compute Cloud instances, with attacker-controlled EC2 implementations found to be operating 474 miners from Aug. 30 to Oct. 6, according to a report from Palo Alto Networks' Unit 42. "We believe the threat actor might be able to find exposed AWS keys that aren't automatically detected by AWS and subsequently control these keys outside of the AWSCompromisedKeyQuarantine policy. According to our evidence, they likely did. In that case, the threat actor could proceed with the attack with no policy interfering with their malicious actions to steal resources from the victims," said researchers, who noted that other approaches have been used by attackers to obtain AWS logins while bypassing AWS policy. Such findings should prompt independent adoption of CI/CD security measures, researchers added.