December 12, 2023

Palo Alto Networks Unit 42 warns about a new campaign targeting AWS IAM credentials within public GitHub repositories.

The campaign dubbed as EleKtra-Leak, described as both sophisticated and concerning, due to the widespread use of AWS services across the globe. EleKtra-Leak leverages automated tools that allow threat actors to clone public GitHub code repositories continuously, scanning for exposed AWS IAM credentials. Once those credentials are detected, they’re exploited to create multiple AWS EC2 instances.

Once attackers have established new EC2 instances, they use them for extensive cryptojacking operations, where computing power is hijacked to mine cryptocurrencies. Those behind the attacks chose Monero for their operations, a cryptocurrency renowned for its privacy features and a long-favoured choice among the cybercriminal community.


While monitoring the cryptojacking pool used in the EleKtra-Leak operation for a span of 45 days, since Aug 30th 2023, the Unit 42 researchers found 474 unique miners that were potentially actor-controlled Amazon EC2 instances.

The rapid nature of which the EleKtra-Leak campaign operates is also highlighted in the research. The researchers observed that, in some cases, the threat actors could exploit exposed IAM credentials within mere minutes of their appearance on GitHub, underscoring the level of automation and sophistication involved in the campaign.

The threat actors behind EleKtra-Leak were found to blacklist AWS accounts that habitually expose IAM credentials. The tactic is believed to be a protective measure, likely aimed at evading honey traps set up by security researchers. The report notes that by sidestepping these potential pitfalls, the threat actors demonstrate a keen awareness of the cybersecurity landscape, and the countermeasures researchers might deploy.


The counterstrategies, including automating the creation of randomized AWS and user accounts equipped with deliberately over-permissive IAM credentials. The approach was designed to study the threat actors’ behaviours and gather more insights into the campaign.

As cloud services become more integrated into our digital infrastructure, users and organizations must recognize their roles in maintaining security. The report emphasizes that it’s up to organizations to ensure proper configurations, timely patching, diligent maintenance, and continuous security monitoring. Proactive defense and informed vigilance are crucial to combating cyber threats such as EleKtra-Leak.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.