Within 5 minutes, hackers were able to get AWS credentials from GitHub

Recent reports indicate that a new campaign under the name EleKtra-Leak has been identified to target AWS IAM (Identity and Access Management) credentials within minutes of their public exposure on GitHub.

This is done to perform cryptojacking activities through compromised AWS accounts.


Threat actors were using multiple Amazon EC2 instances to keep the scope wider and maintain persistence in their cryptojacking attack. This operation has been reported to be active since 2020 and specifically targets the mining of Monero.

It was also mentioned that there have been 474 unique Amazon EC2 instances that were mining Monero between August and October 2023.

Automated Scanning of GitHub Repos

The frequency and speed of their attack have been discovered to be within four minutes, which indicated that threat actors were using automated scanners on GitHub for cloning and retrieving exposed AWS IAM credentials.

Additionally, the threat actors also seem to be connected with another cryptojacking campaign conducted in 2021, which targeted less secure Docker services using the same software.

However, it was also stated that the threat actors were able to find loopholes in GitHub’s secret scanning feature and AWSCompromisedKeyQuarantine Policy.

The AWSCompromisedKeyQuarantine Policy is applied within two minutes of the public exposure of the AWS credential on GitHub which suggests that there is also an unidentified method that the threat actors leverage to find the exposed keys.

Crypto Mining Operation

These exposed and stolen credentials are then used to perform initial information gathering, which is subsequently followed by creating a new AWS security group to launch many EC2 instances in multiple regions, which stay behind a Virtual Private Network (VPN).

Furthermore, the crypto mining operation was performed using a c5a.24xlarge EC2 instance, which has high processing power, allowing more cryptomining operations to be performed in a short period.

Cloning and Monitoring of GitHub (Source: Palo Alto Unit42)
Cloning and Monitoring of GitHub (Source: Palo Alto Unit42)

A complete report about this attack has been published by Unit 42 of Palo Alto, which provides detailed information about the attack, method of exploitation, and other information.

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Try a free trial to ensure 100% security.

Eswar is a Cyber security reporter with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is reporting data breach, Privacy and APT Threats.