Security researchers have discovered a sophisticated scheme in which hackers steal AWS credentials via GitHub and then misuse them to secretly activate AWS instances and use them to mine cryptocurrency.

Security researchers from Palo Alto’s Unit 42 have discovered a large-scale attack campaign aimed at mining the cryptocurrency Monero at the expense of others in order to provide financial benefits to the attackers. The researchers discovered an automated system that accidentally misused data leaked via GitHub. The hackers only need a few minutes to exploit such a flaw.

Unit 42 calls for a campaign EleKtra leak. The attackers behind it can steal AWS credentials just five minutes after they appear on GitHub. AWS and GitHub have a partnership where GitHub also looks for such data and passes it to AWS. AWS then automatically applies policies to prevent abuse. The scanning system does not appear to be watertight and the criminals behind EleKtra-Leak are ready to catch anything that slips through the network.

Fast dismantling

As soon as you have the access data, you see what is possible and which regions you have access to. They then activate as many c5a.24xLarge instances as possible in as many regions as possible. These are powerful instances with a lot of computing power. The hackers use them to mine as much of the Monero cryptocurrency as quickly as possible. The bill then goes to the injured party.

The campaign has been running since 2020. The attackers repeatedly manage to crack environments. The researchers themselves are not entirely sure why this is happening and suspect that the attackers may also have access to another source of credentials.

In any case, it is important not to expose AWS data via GitHub. If you do not make data that could be misused public, you are not taking any risks.