back to article Cryptojackers steal AWS credentials from GitHub in 5 minutes

Security researchers have uncovered a multi-year cryptojacking campaign they claim autonomously clones GitHub repositories and steals their exposed AWS credentials. Given the name "EleKtra-Leak" by researchers at Palo Alto Networks's Unit 42, the criminals behind the campaign are credited with regularly stealing AWS …

  1. Peter-Waterman1

    So, someone uploads their secret key and passcode to GitHub, and it takes 5 mins for the bad guys to get it. Seems like this is a user issue, not a GitHub/AWS/Azure/GCP issue. So many questions, like why are they not federating access, why are they not checking for secrets when they push to GitHub, why don’t they use MFA. Then on the detective side, some basic alerts to monitor unusual behaviour is not really difficult to implement. This is all 101 stuff really.

    1. Hairy Airey

      Least privilege

      The bigger question is why are people using AWS credentials this way? Ideally you use an account that has the least access necessary to perform the task at hand. So for example you're using Terraform to build multiple instances. The account you use should only be able to build those specific instances. (There's probably an opportunity here to write separate code that gives an account those least privileges and warns if the account is "overprivileged"). This is essentially AWS best practice.

      The lack of professionalism in our industry makes me want to cry sometimes. Yes it's hard work, but that's why you are not an amateur at this business. I hope.

      1. FrogsAndChips Silver badge

        Re: Least privilege

        First rule of AWS IAM: delete access keys, use roles to give temporary privileges to resources. Then, if you need specific credentials, store them in ParameterStore or SecretsManager. There is absolutely no reason to store credentials in clear text in your code, especially if you make it available in GitHub.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like