"EleKtra-Leak Campaign Uses AWS Cloud Keys Found on Public GitHub Repositories to Run Cryptomining Operation"
Palo Alto Networks' Unit 42 has revealed an active attack campaign in which a threat actor searches GitHub repositories in real-time for Amazon Identity and Access Management (IAM) credentials and begins using them less than five minutes later. On virtual machines deployed on Amazon instances, the final payload runs customized Monero cryptocurrency mining software. GitHub provides many features for managing code on the platform. One of these features involves providing a list of all public repositories to any user who requests it, which allows developers to easily track various developments. The tracking is done in real-time, allowing anyone to see new repositories as soon as they are pushed to GitHub, including threat actors. This article continues to discuss findings regarding the EleKtra-Leak campaign.
Submitted by grigby1