Full Report
Unit 42 researchers identified a campaign dubbed EleKtra-Leak, which performs automated targeting of exposed identity and access management (IAM) credentials within public GitHub repositories.
Analysis Summary
# Threat Actor: EleKtra-Leak (Campaign Identifier)
## Attribution & Identity
Unknown. This entity is tracked as a specific campaign activity rather than a formally named threat group.
## Activity Summary
EleKtra-Leak is an automated campaign identified by Unit 42 researchers that actively scans public GitHub repositories to find and exploit exposed Identity and Access Management (IAM) credentials.
## Tactics, Techniques & Procedures
- Automated targeting of exposed IAM credentials.
- Credential harvesting from code repositories (specifically GitHub).
- Exploitation leading to cloud compute resource hijacking (Cryptojacking).
- **Observed Techniques:** Cloud compute cryptojacking, Credential harvesting from code repository.
## Targeting
- **Sectors:** Not explicitly detailed, but targeting exposes credentials relevant to any organization utilizing cloud infrastructure (implied across all sectors using cloud IAM).
- **Geography:** Not explicitly detailed, targeting targets based on public code exposure rather than specific geographic locations.
- **Victims:** Organizations with publicly exposed cloud IAM credentials stored in GitHub repositories.
## Tools & Infrastructure
- **Malware Families Used:** Not explicitly mentioned, focus is on utilizing discovered credentials.
- **Infrastructure:** Not explicitly detailed.
## Implications
The primary implication is the immediate risk of resource hijacking and unauthorized access due to poor credential hygiene (storing secrets in public repositories). This campaign focuses on low-hanging fruit by leveraging already leaked secrets for direct financial gain via cryptojacking.
## Mitigations
- Strictly prohibit the commitment and pushing of any IAM credentials, API keys, or software secrets to public visibility, especially on platforms like GitHub.
- Implement Secret Scanning tools provided by GitHub or third parties to automatically detect and notify repository owners of committed secrets.
- Regularly audit and rotate any credentials that may have been exposed.