A new report from Palo Alto Networks’ threat intelligence team Unit 42 reveals how cybercriminals are exploiting exposed Identity and Access Management (IAM) keys to launch cryptojacking attacks on cloud infrastructure.

Dubbed ‘EleKtra-Leak,’ the campaign performs automated targeting of exposed identity and access management (IAM) credentials within public GitHub repositories. The operation, which has been running since at least 2020, uses automated tools to clone public GitHub code repositories, scanning for exposed AWS IAM credentials.

Once those credentials are found, they are used to create multiple AWS Elastic Compute Cloud or EC2 instances. The researchers said they identified 474 unique miners that were potentially actor-controlled Amazon EC2 instances. The EC2 instances received their mining configurations through the EC2 user data. The configuration contained the Monero wallet address each miner used to deliver its mined Monero.

“The data we collected shows indications that the actor’s automation operation is behind a VPN. They repeated the same operations across multiple regions, generating a total of more than 400 API calls and taking only seven minutes, according to CloudTrail logging. This indicates that the actor is successfully able to obscure their identity while launching automated attacks against AWS account environments,” the team wrote.

The threat actors have also been observed blocklisting AWS accounts that constantly expose IAM credentials likely to evade honey traps set up by researchers.

“Organizations that do inadvertently expose AWS IAM credentials should immediately revoke any API connections made using this credential. The organization should also remove the AWS IAM credential from their GitHub repository and new AWS IAM credentials should be generated to fulfill the desired functionality. We highly recommended that organizations use short-lived credentials to perform any dynamic functionality within a production environment,” the Unit 42 team advised.