Cloud-Based Cryptocurrency mining attacks abuse GitHub Actions and Azure VM

Pierluigi Paganini July 12, 2022

Researchers investigated cloud-based cryptocurrency mining attacks targeting GitHub Actions and Azure VMs.

Researchers from Trend Micro published a report that details cloud-based cryptocurrency mining attacks targeting GitHub Actions and Azure VMs and the threat actors behind them.

Threat actors are attempting to compromise a large number of cloud-based systems to mine cryptocurrency with a significant impact on target organizations in terms of resource consumption and cost.

To demonstrate the impact on the organizations, Trend Micro researchers deployed the monero miner XMRig on one of its systems and observed an increase in CPU utilization rate from an average of 13% to 100%. This means that the cost of electricity to the target organization jumped from US$20 up to US$130 per month (+600%) for a single cloud instance. Considering that organizations usually control multiple cloud instances, the economic impact on them dramatically increases.

Experts pointed out that the performance of an infrastructure infected with a miner slows down and can cause the disruption of the online services of a business, impacting the reputation of the organization.

“Cryptocurrency-mining groups enter cloud deployments through similar methods, typically through the exploitation of a security flaw within target systems, such as an unpatched vulnerability, weak credentials, or a misconfigured cloud implementation.” states the report published by Trend Micro. “However, each group more or less has its unique traits, from its skill level and experience to the tools and techniques it uses, that set it apart from other groups.”

For example, the Outlaw threat actors, which has been active since at least 2018, uses brute force and SSH exploit (exploit Shellshock Flaw and Drupalgeddon2 vulnerability) to achieve remote access to the target systems, including server and IoT devices. The main component of this malware implant is a variant of “Shellbot”, a Monero miner bundled with a Perl-based backdoor, which includes an IRC-based bot and an SSH scanner. 

Another group, tracked as TeamTNT, attempts to compromise hosts via the exploitation of vulnerable software services, then it steals credentials for other services to move to other hosts. In November, Trend Micro researchers reported that TeamTNT hackers were targeting poorly configured Docker servers exposing Docker REST APIs as part of an ongoing campaign that started in October.

Threat actors were executing malicious scripts to deploy Monero cryptocurrency miners, perform container-to-host escape using well-known techniques, and scan the Internet for exposed ports from other compromised containers.

In its latest article, Trend Micro detailed how attackers are leveraging GitHub Actions (GHAs) and Azure virtual machines (VMs) for cloud-based cryptocurrency mining. The experts observed threat actors abusing the runners or servers provided by GitHub to run an organization’s pipelines and automation by maliciously downloading and installing their miners. We also analyze different GHA YAML scripts found on GitHub that tried to mine all kinds of cryptocurrency by using the GHA runners.

GHA allows users to automate the software build, test, and deployment pipeline.

The experts pointed out that Linux and Windows runners are hosted on Standard_DS2_v2 virtual machines on Azure and come with two vCPUs and 7GB of memory.

The experts have identified over a thousand repositories and more than 550 code samples that are abusing GitHub Actions as a part of a cryptocurrency mining campaign leveraging GitHub runners.

cryptocurrency mining campaign

“For as long as the malicious actors only use their own accounts and repositories, end users should have no cause for worry. Problems arise when these GHAs are shared on GitHub Marketplace or used as a dependency for other Actions.” reads the report. “Problems arise when these GHAs are shared on GitHub Marketplace or used as a dependency for other Actions. “

The report also provides recommendations on how to detect cryptocurrency miners along with indicators of compromise for known cryptocurrency mining campaigns.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, cryptocurrency mining)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment