Unit 42 researchers have identified an active campaign we are calling EleKtra-Leak, which performs automated targeting of exposed identity and access management (IAM) credentials within public GitHub repositories. As a result of this, the threat actor associated with the campaign was able to create multiple AWS Elastic Compute (EC2) instances that they used for wide-ranging and long-lasting cryptojacking operations.
Unit 42 researchers believe these operations have been active for at least two years and are still active today. We found that the actor was able to detect and use the exposed IAM credentials within five minutes of their initial exposure on GitHub. This finding specifically highlights how threat actors can leverage cloud automation techniques to achieve their goals of expanding their cryptojacking operations.
Source: Palo Alto Unit 42