A group of attackers is running a cryptomining operation that leverages the free or trial-based cloud computing resources and platforms offered by several service providers including GitHub, Heroku and Togglebox.
The operation is highly automated using CI/CD processes and involves the creation of tens of thousands of fake accounts and the use of stolen or fake credit cards to activate time-limited trials.
Researchers from Palo Alto Networks' Unit 42 have dubbed the group Automated Libra and believe it's based in South Africa.
During the peak of the campaign, dubbed PurpleUrchin, in November the group was registering between three and five GitHub accounts every minute using automated CAPTCHA defeating processes with the intention to abuse GitHub Actions workflows for mining.
"Each of the GitHub accounts was subsequently involved in a play-and-run strategy, where each account would use computational resources, but threat actors ultimately left their tabs unpaid," the researchers said in the report.
"This appears to be a standard operational procedure for PurpleUrchin, as there is evidence that they created more than 130,000 accounts across various virtual private server (VPS) providers and cloud service providers (CSPs)."
A combination of freejacking and play-and-run tactics
Researchers refer to the abuse of free offers as freejacking, and the creation of accounts that incur charges and then are never paid as "play and run."
The latter is more difficult to pull off because most service providers require the user to register a valid credit card or payment method before giving them access to paid-for computing resources.
However, even if usage is tracked and charged on a per-minute basis, the bill is usually issued after a longer period. This gives attackers a time window to abuse such services.
Automated Libra seems to have used both methods, suggesting they had access to stolen credit cards or at least cards that would be accepted by the system even if they were later flagged as stolen and locked by the issuers. This shows the importance of having strong anti-fraud payment systems in place.
PurpleUrchin has been operating since 2019, and even though they often abused VPS providers that offer full virtualised servers, they've also extended their operation to target cloud application hosting platforms.
Heroku, for example, provides a cloud application hosting platform that supports multiple programming languages, while Togglebox provides both VPS and application hosting services. Both support deploying apps as containers using Docker and Kubernetes, and Automated Libra made full use of that.
"The infrastructure architecture employed by the actors uses CI/CD techniques, in which each individual software component of an operation is placed within a container," the researchers said.
"This container operates within a modular architecture within the larger mining operation. CI/CD architectures provide highly modular operational environments, allowing some components of an operation to fail, be updated, or even be terminated and replaced, without affecting the larger environment."
Not all the containers are used for cryptomining. Some are used to automate the creation of accounts and deployment tasks while others are used to automate the selling of the mined cryptocurrency on different trading platforms and exchanges.
Mining with GitHub workflows
GitHub Actions is a commercial CI/CD platform for automating the building and testing of software code that offers a free service for public repositories and free minutes of worker run time and storage space for private repositories.
GitHub Actions workflows are automated processes defined in .yml files using YAML syntax that are executed when certain triggers or events occur.
They can involve the execution of Bash scripts, generating and copying files, and more. They are basically a series of user-defined tasks executed on a virtual machine usually with the intention of compiling applications from code and testing them.
To automate the creation of GitHub accounts, the attackers used containers deployed on Togglebox that contained a Chromium-based browser called Iron; xdotool, a tool used to generate keyboard and mouse inputs; and the ImageMagick toolkit, which can be used to convert, edit, and compose digital images.
First, the automated process opened the GitHub account creation page Iron and opened a VNC remote desktop session to the browser. Xdotool connected to the browser via VNC and automatically filled in and submitted the form. At this stage the account creation process presents a CAPTCHA for the user to solve.
The GitHub CAPTCHA challenge asks the user to select the spiral galaxy from several pictures with galaxies of different shapes.
To pass it, xdotool downloads the images and passes them to ImageMagick, which is then used to convert them into complementary red, green, and blue (RGB) images.
This basically turns them into splotches of red, green, and blue colours on white background. Then the ImageMagick identify command is used to determine the "skewness" of the red channel, and the image with the lowest values was chosen as the spiral galaxy.
This whole automated process, which the researchers managed to recover from a container, was designed specifically for one CAPTCHA challenge and is unlikely to work with others.
The researchers didn't test how effective this technique is but have determined that the attackers managed to register over 20,000 GitHub accounts in November alone.
Once the account was registered, the next step was to register for a personal access token (PAT) with workflow permissions, set up SSH keys and use the GitHub API to set up a repository and the permissions for it.
The repository was then updated with a workflow generated by a PHP script to have randomised attributes and be unique from workflows deployed to other accounts.
When executed, the workflow created 64 jobs and used 64 jobs and used repository_dispatch under the event github.event.client_payload.app to execute externally hosted applications.
Initially, these were used to execute external Bash scripts, but then the attackers switched to executing containers that installed and initiated the cryptomining functionality.
"It is important to note that Automated Libra designs their infrastructure to make the most use out of CD/CI tools," the researchers said. "This is getting easier to achieve over time, as the traditional VSPs are diversifying their service portfolios to include cloud-related services.
"The availability of these cloud-related services makes it easier for threat actors because they don’t have to maintain infrastructure to deploy their applications. In the majority of cases, all they’ll need to do is to deploy a container."
While this group abuses the computing resources of cloud services providers themselves, the same modern development practices and cloud application hosting services are increasingly used to set up command-and-control infrastructure by different groups for a variety of attacks, making attribution and takedown efforts much more difficult.