IAM credentials exposed on GitHub
GitHub provides users with various features to manage their code. One feature allows users to access a list of all public repositories, enabling developers to monitor projects they are interested in. This feature updates in real time, making it easy for anyone, including threat actors, to identify new repositories as they are added to GitHub.
SEE: 8 Best Identity and Access Management (IAM) Solutions for 2023 (roosho)
Researchers from Palo Alto Networks’s Unit 42 discovered that Amazon Web Services Identity and Access Management credentials can be found in GitHub’s public repositories and are actively sought after by cybercriminals.
In their analysis, the researchers placed IAM credentials on GitHub as a honeypot to monitor activity. They found that leaked AWS keys, which were encoded and stored on GitHub, were not accessed by threat actors. Instead, threat actors only retrieved clear text AWS keys hidden in a random file from a past commit.
This honeypot experiment allowed researchers to detect an attack campaign within five minutes of the credentials being posted on GitHub.
Technical details about this attack campaign
The campaign, named EleKtra-Leak, has been active since at least December 2020. Once IAM credentials are discovered, the attacker conducts reconnaissance to gather information about the AWS account being accessed.
After reconnaissance, the threat actor creates new AWS Security Groups and deploys multiple Amazon Elastic Compute Cloud instances across accessible AWS regions.
Over a span of seven minutes, researchers observed more than 400 API calls made via a VPN connection, indicating automated attacks on AWS accounts.
The threat actor targeted large cloud virtual machines with high processing power for cryptomining operations. Private Amazon Machine Images, particularly outdated Linux Ubuntu distributions, were chosen for deployment, suggesting the operation dates back to 2020.
The threat actor also took measures to block AWS accounts that frequently expose IAM credentials, potentially to evade threat researchers or honeypot systems.
The goal of this attack campaign: Cryptomining
Once reconnaissance is complete and virtual machines are launched, a payload is downloaded from Google Drive. This payload, encrypted on Google storage, is decrypted upon download.
The payload is a known cryptomining tool used in 2021, as reported by Intezer. The tool is configured to mine Monero cryptocurrency using the SupportXMR mining pool.
Between August 30, 2023, and October 6, 2023, 474 unique miners, representing unique Amazon EC2 instances, were identified. The financial gain from this operation is difficult to estimate due to Monero’s privacy controls.
GitHub’s automated measures for detecting secrets
GitHub automatically scans for secrets in stored files and alerts service providers about any leaked secrets. During their investigation, researchers observed GitHub successfully detecting secrets stored as honeypot data and notifying Amazon, leading to the implementation of a quarantine policy to prevent further attacks.
While GitHub and AWS collaborate to protect against leaked keys, the researchers believe that not all cases are covered. They warn that other victims of this threat actor may have been targeted in different ways.
How to mitigate this cybersecurity risk
Avoid storing IAM credentials on GitHub or any online platform. Remove exposed credentials from repositories and generate new credentials to replace them.
Use short-lived credentials for dynamic operations in production environments.
Monitor GitHub repositories used by the organization and audit clone events to detect unauthorized access. Consider using tools like Trufflehog for constant scanning of repositories for secrets.
If repositories do not need to be public, use private GitHub repositories with access restricted to authorized personnel. Implement multifactor authentication to prevent unauthorized access with leaked credentials.
No Comment! Be the first one.