Honeypot finds cryptojackers moving fast

After laying out a honeypot of credentials, a team from the cybersecurity vendor Palo Alto saw some tricksters (very) quickly taking the treats.

According to the company’s October report, threat actors took under five minutes to pick up exposed Amazon Web Services (AWS) identity and access management (IAM) credentials, placed within public GitHub repositories, and use them to support cryptojacking operations.

The threat actors’ moves met with swift and automated action from both AWS quarantining and GitHub “secret scanning.” This is perhaps an example of what’s to come: a future matchup of super-fast cats and super-fast mice.

Attackers’ vs. defenders’ automation. “GitHub was able to detect the exposed credential within two minutes of it actually being exposed, and then notify us that it was exposed, and AWS was very fast at stopping this, or putting that quarantine policy in place,” Nathaniel “Q” Quist, manager of cloud threat intelligence with Palo Alto Network's Prisma Cloud and Unit 42, told IT Brew.

He also noted: “What was very interesting was the attacker was able to, within five minutes, also scan and detect that particular exposed credential, and then immediately start performing reconnaissance.”

IAM hungry. Once AWS IAM creds are attained, the Palo-named “EleKtra-Leak” group highlighted in the October post can spin up an EC2 instance, or virtual server, and mine for cryptocurrency.

The act of cryptojacking, or secretly generating cryptocurrency on someone else’s computer, requires large amounts of computing power, which the cloud provides if the opportunity (or credential) shows itself, particularly in a public repository like GitHub.

According to research from Palo Alto, 83% of organizations expose hard-coded credentials in production-code environments.

To find the fast cryptojackers, Palo’s threat-research team Unit 42 created a compromisable tool they named HoneyCloud that invited but also tracked malicious moves, including EC2 launches and an automation architecture that scanned GitHub repositories in real-time.

GitHub’s “Secret Scanning” feature discovered the exposed keys and notified AWS to activate a quarantine policy to the user associated with the keys, according to the post, cowritten by Quint.

Unit 42 researchers said in the report that they replaced the quarantine policy to ensure tracking of the threat actor’s operation, but the team believes the threat actors can find exposed keys that aren’t automatically detected by AWS.

“During our monitoring of the cryptojacking pool used in the EleKtra-Leak operation, Aug. 30–Oct. 6, 2023, we found 474 unique miners that were potentially actor-controlled Amazon EC2 instances,” read the report.

Customers still sometimes inadvertently expose credentials in public code repositories, a spokesperson at Amazon told IT Brew via email.

“When AWS detects this exposure, we automatically apply a policy to quarantine the IAM user with the compromised credentials to drastically limit the actions available to that user, and we notify the customer. The security researchers, as they described in their blog, disabled these security controls,” Amazon said in a statement via AWS spokesperson Patrick Neighorn in an email to IT Brew.

Organizations can scan their configuration files and cloud code repositories to ensure hardcoded credentials are not present. Ed Lewis, director of secure cloud transformation at the consultancy Optiv, recommended application-security tools, and notes that the speed of the attack is “worrying,” especially when infosec pros may not be as quick to respond when they have hundreds of other vulnerabilities to be concerned about.

“Having automation to combat, the automation of bad actors is going to be pretty important,” Lewis told IT Brew.