Researchers have disclosed cloud-based cryptocurrency mining attacks targeting Azure Virtual Machines (VMs) and GitHub Actions (GHAs).
The crypto attack
- Over a thousand repositories and 550 code samples were spotted abusing GitHub Actions to mine cryptocurrency using the runners provided by GitHub.
- The attackers further use Windows runners hosted on Azure to mine cryptocurrency.
- It applies persistence techniques to stay hidden from GitHub and prevent their Actions from being disabled.
- The attackers usually enter the cloud deployments by exploiting a security flaw in the environment, such as weak credentials, unpatched vulnerability, or a misconfigured cloud implementation.
Technical insights
The attackers abused the runners provided by GitHub to run an organization’s pipelines and automation by maliciously downloading and installing miners.
- The Linux and Windows runners were hosted on Standard_DS2_v2 VM on Azure and have two vCPUs and 7GB of memory.
- Further, researchers analyzed different GHA YAML scripts found on GitHub attempting to mine various kinds of cryptocurrency.
Impact of crypto attacks on organizations
Researchers stated that the performance of an infrastructure infected with a miner slows down. Further, it causes disruption of the online services of a business that impacts the reputation of the organization.
- To demonstrate how such attacks drastically impact the organizations, researchers deployed XMRig on one of its systems that increased CPU usage from an average of 13% to 100%.
- Due to this, the cost of electricity to the target organization increased from $20 up to $130 per month (+600%) for a single cloud instance.
Recommendations
Organizations should regularly monitor their GitHub Actions for any signs of abuse. Early detection of possible exploits in a cloud environment is very important to stop such attacks before they cause any major damage. Further, make sure that no cryptocurrency wallets are present in GHA.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/iStock_000073999097_Medium.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_465668897.jpg)
