Hackers Find Cloud Account Credentials on GitHub Leading to 72-Hour Cryptocurrency Mining Spree

A recent hijacking of an Amazon Web Services account from information found on project hosting service GitHub has illustrated that online criminals are scraping the source code of open projects for cloud login credentials.

Rich Mogull, CEO of security firm Securosis, found this out first-hand when hackers found an Amazon EC2 Access Key and Secret Key in a commented-out line in a Ruby file supporting a demonstration he was preparing for his presentation at the RSA security conference.

According to Mogull, it only took about 36 hours for the culprits to find his Amazon credentials and spin up 10 extra-large cloud instances – half on the US West Coast and half in Ireland. These ran for 72 hours, running up a $500 bill.

Mogull suspects the hackers used these instances to “mine” for a cryptocurrency such as Bitcoin or Litecoin. In addition to securely introducing new currency to the system, the computation power used in mining ironically goes towards securing Bitcoin transactions.

This was, as Mogull readily admits, a case of human error. Mogull’s past experience at Gartner’s security team and independent contractor for the University of Colorado, and his current work as Security Editor of TidBITS, columnist for Dark Reading, and contributor to Information Security Magazine, should prove that anyone could make a mistake like this.

Some of the ways that he could have avoided having his account compromised would have been to make sure his code was completely scrubbed before posting it publicly, but also have billing alerts enabled and set monthly usage limits.

Mogull also notes that he will be creating an AWS Identity and Access Management policy and Access Key that restricts the application to only his main development region, and will enforce the use of AWS CloudTrail, which records API calls. He is also planning on creating a more tailored IAM policy that only grants required operations – rather than have one without restrictions.

We may be seeing more online criminals seeking out ways to generate cryptocurrencies as they rise in value and become more lucrative. For instance, researchers recently revealed a scheme in which criminals used Yahoo’s ad server to deploy malicious ads to create mining pools from the infected computers.