Cloud-based cryptocurrency miners targeting GitHub actions and Azure VMs


GitHub actions and Azure virtual machines (VMs) are being used for cloud-based cryptocurrency mining, indicating continued attempts by malicious actors to attack cloud resources for illegal purposes.

“Attackers can take advantage of runners or servers provided by GitHub to manage an organization’s pipelines and automation by maliciously downloading and installing their own cryptocurrency miners to easily turn a profit,” Trend Micro researcher Magno Logan said in a report from last week.

GitHub Actions (GHAs) is a continuous integration and continuous delivery (CI/CD) platform that enables users to automate the pipeline for building, testing, and deploying software. Developers can use the feature to create workflows that build and test each pull request to a code repository, or implement aggregated pull requests for production.

Both Linux and Windows runners are hosted on Standard_DS2_v2 virtual machines on Azure and come with two vCPUs and 7 GB of memory.

The Japanese company said it has identified no fewer than 1,000 repositories and more than 550 code samples using the platform to mine cryptocurrency using the runners of GitHub, which has been notified of the issue.

In addition, 11 repositories were found to contain similar variants of a YAML script with commands to mine Monero coins, all of which relied on the same wallet, suggesting it is either the handiwork of a single actor or a group working together.

“As long as the malicious actors only use their own accounts and repositories, end users have nothing to worry about,” said Logan. “Problems arise when these GHAs are shared on GitHub Marketplace or used as dependencies for other actions.”

Groups targeting cryptojacking are known to infiltrate cloud deployments by exploiting a vulnerability in target systems, such as an unpatched vulnerability, weak credentials, or a misconfigured cloud deployment.

Some of the prominent actors in the illegal cryptocurrency mining landscape include 8220, Keksec (aka Kek Security), Kinsing, exileand TeamTNT.

The malware toolset is also characterized by the use of kill scripts to terminate and remove competing cryptocurrency miners in order to best exploit the cloud systems to their own advantage, with Trend Micro calling it a battle “fought for control of the victim’s sources”.

That said, in addition to incurring infrastructure and energy costs, the deployment of cryptominers is also a barometer of poor security hygiene, allowing threat actors to weaponize the initial access gained through cloud misconfiguration for much more damaging targets such as data. exfiltration or ransomware.

“A unique aspect […] is that malicious actor groups not only have to deal with the security systems and personnel of a target organization, but also have to compete with each other for limited resources,” the company said. noted in an earlier report.

“The struggle to gain and maintain control of a victim’s servers is a major driving force behind the evolution of these groups’ tools and techniques, continuously improving their ability to remove competitors from compromised systems while resist their own removal.”