A concerning revelation has emerged with EleKtra-Leak’s campaign focusing on exposed Amazon Web Service (AWS) IAM credentials in public GitHub repositories. The objective? Facilitating cryptojacking operations. This operation has been active since at least December 2020, with evidence pointing towards the mining of Monero using Amazon EC2 instances from August to October 2023.
A significant point of concern is the swift automated targeting. Within four minutes of an AWS IAM credential’s exposure on GitHub, threat actors can clone and scan repositories, capturing exposed keys. The rapid nature of this threat further reinforces its potential danger.
Interestingly, the attacker has shown efforts to blocklist AWS accounts that disclose IAM credentials, possibly to thwart any deeper scrutiny.
Related Cybersecurity Concerns: Past Patterns Emerges
Certain indications link this attacker to a previous cryptojacking campaign, targeting Docker services. This campaign took advantage of vulnerabilities in GitHub’s secret scanning and AWS’ policies. Even though AWS has a policy that flags compromised credentials within minutes of public access on GitHub, the method of exposure remains undetermined.
In some scenarios, stolen AWS credentials were utilized to conduct account recon, set up AWS security groups, and initiate multiple EC2 instances from behind VPNs. Additionally, crypto-mining operations utilized the c5a.24xlarge AWS instances for their increased computational capabilities.
Organizations are being urged to take proactive measures. If AWS IAM credentials are exposed, it is crucial to disconnect API links using those keys, erase them from GitHub, and review repository cloning actions for unusual activities.
ServiceNow’s Misstep: Potential Data Exposure
ServiceNow, a widely recognized cloud-based platform for IT and business management, recently alerted users about potential “unintended access” due to misconfigurations. The implications? Possible significant data leakage of confidential company data.
The core of the issue lies within an interface widget named Simple List, which gathers data stored in tables for dashboards. The problem has been lingering since 2015, and without resolution, could have made companies more susceptible than ever to data exposure.
However, it’s imperative to understand that the problem was not rooted in a ServiceNow flaw, but rather a configuration within the platform. Tackling this was not a straightforward task as altering one setting could disrupt existing processes.
ServiceNow has proposed a series of remediation steps, emphasizing reviewing Access Control Lists, adjusting public widgets, employing stricter access controls, and even suggesting the installation of the ServiceNow Explicit Roles Plugin for enhanced security.
Harnessing Tools for a Secure Tomorrow
For organizations employing ServiceNow and similar platforms, SaaS Security Posture Management (SSPM) solutions, such as Adaptive Shield, can offer an extra layer of protection. They provide insight into application configurations and alert security teams about high-risk configurations, allowing timely adjustments to prevent data leaks.
Two major cybersecurity issues have come to light. While the threats and their implications are distinct, they underscore the pressing need for vigilance, the right tools, and informed actions in today’s digital landscape. As technologies evolve, so do threats, and the responsibility lies with organizations to safeguard their assets.
