Exposed AWS credentials stolen within minutes by Github hackers

An abstract image of padlocks overlaying a digital background.
(Image credit: Shutterstock) (Image credit: Shutterstock)

GitHub has a unique security feature - it scans the code for exposed Amazon Web Services (AWS) keys (among other things) and if it finds them, it reports them to AWS which can act to prevent misuse - all within minutes.

However, it doesn’t work with 100% accuracy, and sometimes keys stay exposed for a bit longer. Some hackers managed to take advantage of that window of opportunity, grabbing the keys and creating Amazon Elastic Compute Cloud (EC2) instances.

They would later use those instances to mine the Monero cryptocurrency.

Mining Monero

The findings were published by Unit 42, the cybersecurity arm of Palo Alto Networks, whose researchers dubbed the cryptojacking campaign “EleKtra-Leak” and claim it took hackers only five minutes to grab the exposed keys. 

In roughly a week of time, the attackers managed to generate at least 474 different miners, the researchers added. 

"We believe the threat actor might be able to find exposed AWS keys that aren't automatically detected by AWS and subsequently control these keys outside of the AWSCompromisedKeyQuarantine policy," said William Gamazo and Nathaniel Quist, senior principal researcher and manager of cloud threat intelligence at Unit 42.

"According to our evidence, they likely did. In that case, the threat actor could proceed with the attack with no policy interfering with their malicious actions to steal resources from the victims.

"Even when GitHub and AWS are coordinated to implement a certain level of protection when AWS keys are leaked, not all cases are covered. We highly recommend that CI/CD security practices, like scanning repos on commit, should be implemented independently."

After grabbing the keys, the crooks would analyze the account, looking for enabled regions. After that, they create security groups and launch as many EC2 instances as they can.

Monero is described as a “private” cryptocurrency, one that is almost impossible to track. That is why it’s one of the most popular choices among cybercriminals, especially those engaged in ransomware and cryptojacking. Now that most people understand how Bitcoin’s transparent ledger works, it’s not as popular among criminals (although it still ranks quite high).

Via TheRegister

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.