GitHub Actions and Azure virtual machines (VMs) are being
leveraged for cloud-based cryptocurrency mining, indicating
sustained attempts on the part of malicious actors to target cloud
resources for illicit purposes.
“Attackers can abuse the runners[1]
or servers provided by GitHub to run an organization’s pipelines
and automation by maliciously downloading and installing their own
cryptocurrency miners to gain profit easily,” Trend Micro
researcher Magno Logan said[2]
in a report last week.
GitHub Actions (GHAs[3]) is a continuous
integration and continuous delivery (CI/CD) platform that allows
users to automate the software build, test, and deployment
pipeline. Developers can leverage the feature to create workflows
that build and test every pull request to a code repository, or
deploy merged pull requests to production.
Both Linux and Windows runners are hosted on Standard_DS2_v2[4]
virtual machines on Azure and come with two vCPUs and 7GB of
memory.
The Japanese company said it identified no fewer than 1,000
repositories and over 550 code samples that are taking advantage of
the platform to mine cryptocurrency using the runners provided by
GitHub, which has been notified of the issue.
What’s more, 11 repositories were found to harbor similar
variants of a YAML script containing commands to mine Monero coins,
all of which relied on the same wallet, suggesting it’s either the
handiwork of a single actor or a group working in tandem.
“For as long as the malicious actors only use their own accounts
and repositories, end users should have no cause for worry,” Logan
said. “Problems arise when these GHAs are shared on GitHub
Marketplace or used as a dependency for other Actions.”
Cryptojacking-oriented groups are known to infiltrate cloud
deployments through the exploitation of a security flaw within
target systems, such as an unpatched vulnerability, weak
credentials, or a misconfigured cloud implementation.
Some of the prominent actors in the illegal cryptocurrency
mining landscape include 8220[5], Keksec[6]
(aka Kek Security), Kinsing[7], Outlaw[8], and TeamTNT[9].
The malware toolset is also characterized by the use of kill
scripts to terminate and delete competing cryptocurrency miners to
best abuse the cloud systems to their own advantage, with Trend
Micro calling it a battle “fought for control of the victim’s
resources.”
That said, the deployment of cryptominers, besides incurring
infrastructure and energy costs, are also a barometer of poor
security hygiene, enabling threat actors to weaponize the initial
access gained through a cloud misconfiguration for far more
damaging goals such as data exfiltration or ransomware.
“One unique aspect […] is that malicious actor groups do not
only have to deal with a target organization’s security systems and
staff, but they also have to compete with one another for limited
resources,” the company noted[10] in an earlier
report.
“The battle to take and retain control over a victim’s servers
is a major driving force for the evolution of these groups’ tools
and techniques, prompting them to constantly improve their ability
to remove competitors from compromised systems and, at the same
time, resist their own removal.”
References
Read more https://thehackernews.com/2022/07/cloud-based-cryptocurrency-miners.html