A new ongoing campaign dubbed EleKtra-Leak has set its eyes on exposed Amazon Web Service (AWS) identity and access management (IAM) credentials within public GitHub repositories to facilitate cryptojacking activities.
"As a result of this, the threat actor associated with the campaign was able to create multiple AWS Elastic Compute (EC2) instances that they used for wide-ranging and long-lasting cryptojacking operations," Palo Alto Networks Unit 42 researchers William Gamazo and Nathaniel Quist You must be logged in to see this link. in a technical report shared with The Hacker News.
The operation, active since at least December 2020, is designed to mine Monero from as many as 474 unique Amazon EC2 instances between August 30 and October 6, 2023.
A standout aspect of the attacks is the automated targeting of AWS IAM credentials within four minutes of their initial exposure on GitHub, indicating that threat actors are You must be logged in to see this link. to capture the exposed keys.
The adversary has also been observed blocklisting AWS accounts that publicize IAM credentials in what's likely seen as an effort to prevent further analysis.
source:You must be logged in to see this link.
"As a result of this, the threat actor associated with the campaign was able to create multiple AWS Elastic Compute (EC2) instances that they used for wide-ranging and long-lasting cryptojacking operations," Palo Alto Networks Unit 42 researchers William Gamazo and Nathaniel Quist You must be logged in to see this link. in a technical report shared with The Hacker News.
The operation, active since at least December 2020, is designed to mine Monero from as many as 474 unique Amazon EC2 instances between August 30 and October 6, 2023.
A standout aspect of the attacks is the automated targeting of AWS IAM credentials within four minutes of their initial exposure on GitHub, indicating that threat actors are You must be logged in to see this link. to capture the exposed keys.
The adversary has also been observed blocklisting AWS accounts that publicize IAM credentials in what's likely seen as an effort to prevent further analysis.
source:You must be logged in to see this link.