Credentials exposed in public GitHub repositories facilitate cryptojacking.
Coinminers exploit IAM credentials.
Palo Alto Networks’ Unit 42 is tracking a campaign they're calling “EleKtra-Leak,” which is performing “automated targeting of exposed identity and access management (IAM) credentials within public GitHub repositories.” The researchers note, “[T]he threat actor associated with the campaign was able to create multiple AWS Elastic Compute (EC2) instances that they used for wide-ranging and long-lasting cryptojacking operations. We believe these operations have been active for at least two years and are still active today.”
Unit 42 adds, “We found that the actor was able to detect and use the exposed IAM credentials within five minutes of their initial exposure on GitHub. This finding specifically highlights how threat actors can leverage cloud automation techniques to achieve their goals of expanding their cryptojacking operations.”
Sure, don't expose credentials (but at the same time show the developers some love and understanding.)
It can be easy to dismiss anyone who would leave AIM credentials exposed as a hopeless stumblebum unfit for any employment more taxing than that of, say, a paperweight, perhaps a bookend, but let's think about it before we cast the first stone. How easy do the systems we put in place make it commit this sort of error? Jeff Williams, co-founder and CTO of Contrast Security, wrote in emailed comments that developers have a lot to deal with, and the tools they're given, indeed the very environments in which they operate, can lend themselves to fostering oversights of this kind. We want systems that will, metaphorically, fail safe, not fail deadly.
“Disappointing that we are struggling with the very simplest of cybersecurity issues. It’s not complicated, you just don’t post your keys in public," Williams wrote. Clausewitz said it of war, and it might equally be said of development: everything is simple, but the simplest thing is hard. "However, it’s also not fair to blame developers. There are thousands of these kinds of issues, and they have to perform perfectly on all of them or get dragged for being dumb or lazy. We need better authentication systems that make it easier for developers to make good choices. They should never be tempted to put their keys in AWS because doing things the right way is too difficult. Let’s make the secure path the easiest one as well.”