Github used by criminals to steal AWS keys

Cyber criminals are specifically looking for leaked AWS keys in the Github repositories. They use the access points to set up online servers for cryptomining. This was discovered by security researchers from Unit 42, a company that specializes in protection against cyberattacks. They dubbed the campaign for the theft of AWS keys via Github the "EleKtra leak".

The public Github serves as a gateway to the keys

According to Unit 42, the public Github repositories are a popular place for cybercriminals to search for open IAM keys to gain access to AWS. Under certain conditions, the hackers are able to detect the vulnerabilities in less than 5 minutes after publication on Github.

The attack directly targets the AWS Elastic Compute instances (AWS-EC2). The criminals use these virtual computers, which Amazon users can rent, to create long-term cryptojacking operations. The Unit 42 researchers assume that these operations have been going on for at least two years.

The fact that it is only now being noticed is probably due to the fact that the attackers were clever and ignored AWS accounts that regularly disclose IAM keys. This made them harder to detect, as their actions are more difficult to recognize and track.

To make tracking easier, the Unit 42 team publishes homemade AWS keys on Github. As soon as Amazon recognizes the majority of the keys, it quarantines the associated account. This prevents hackers from gaining access.

This is why the attackers explicitly search for keys that are not secured by the protection system. Github cannot recognize all leaked keys. Unit 42 recommends that companies implement CI/CD security practices independently in order to protect their own keys.

The research team's report states that around 83% of all companies disclose hard-coded credentials, making them an easy target for attack.

Learn protective measures on Github and cyber security with AWS

As in many cases, AWS locks the accounts on Github automatically as soon as open login data is available. However, this does not always work. It is therefore advisable to revoke all API connections and the AWS IAM key.

Hackers would first have to copy the Github repository in order to identify the keys. This process is monitored by Github and would allow the criminals themselves to fall into the trap. This makes it easier to monitor and track the illegal processes.

To do this, Github uses "Prisma Cloud", a CI/CD module that informs account owners directly if keys are visible, repositories are cloned from Github or applications are not running as desired.

These protective measures are therefore sensible and should be used by all users of AWS applications in conjunction with Github.

It also makes sense to familiarize yourself with the cyber security applications within Amazon Web Services. In ourAWS Security Best Practices training , you will learn about some applications and the best ways to protect accounts. With AWS Security Governance at Scale, you can automate account security. When implemented and used correctly, AWS offers numerous control functions that ensure that accounts and applications remain secure at all times. Implement identity management for AWS and use the AWS Control Tower to set up a secure landing zone. This keeps accounts safe from attacks on the keys.