There are ongoing attempts by threat actors to target cloud services for illegal purposes, as GitHub Actions and Azure virtual machines (VMs) are leverage for cloud-based cryptocurrency mining.

According to a report published by Trend Micro analyst Magno Logan, attackers can take advantage of the servers or runners offered by GitHub to manage an organization’s pipelines and automation by fraudulently downloading and installing their own cryptocurrency miners to make quick money.

A continuous integration and continuous delivery (CI/CD) platform called GitHub Actions (GHAs) enables users to automate the pipeline for developing, testing, and deploying software. The capability can be used by developers to construct workflows that test each pull request before adding it to a code repository or to publish merged pull requests to production.

 

Linux and Windows users being abused by cryptocurrency miners

With two vCPUs and 7 GB of RAM apiece, Azure Standard DS2 v2 virtual machines can host both Linux and Windows runners. Similar tactics used by fraudsters to execute their mining scripts on Windows runners are used by cryptocurrency miners to misuse Linux runners. To avoid having their activity stopped by GitHub, they are constantly attempting to avoid discovery.

The runner, a server made to run workflows, is offered by GitHub (actions of malicious actors). Once an enterprise’s automation is finished, the workflows are ended and deployed on Azure. Using a free GitHub account or not, users are not required to pay for this service.

By utilizing the runners offered by GitHub, the Japanese IT security company Trend Micro has discovered over 550 code samples and over 1,000 repositories that make use of GitHub Actions to mine cryptocurrencies. The search results from bitcoin miners utilizing GHA are displayed in the following figure.

End users shouldn’t be concerned as long as bad actors exclusively utilize their accounts and repositories. GitHub is aware of this issue and is making every effort to solve it and reduce it as much as it can. However, solving the issue is challenging. According to Trend Micro, issues develop when these GHAs are posted to the GitHub Marketplace or utilized as a requirement for other Actions.

In the world of illicit cryptocurrency mining, some well-known players include 8220, Keksec (also known as Kek Security), Kinsing, Outlaw, and TeamTNT.

In order to best take advantage of the cloud systems to their own advantage, the malware toolset is also characterized by the use of kill scripts to end and remove competing cryptocurrency miners. According to Trend Micro, this is a conflict “fought for control of the victim’s resources.

 

How can Cryptocurrency Miners can be identified?

Malicious actors can make large revenues from a corrupted network for even a few minutes or hours. As a result, it is essential for both consumers and cloud service providers (CSPs) to be aware of these attacks, be able to spot them, and be able to stop them in their settings.

The first sign of potential cryptocurrency mining exploits might be cited as increased resource utilization. Resource use increases CPU utilization to 100%, slowing down operating workloads or apps. These workloads could likewise stop functioning if the CPU is overworked. Customers and CSPs must keep an eye out for these situations to spot instances of bitcoin mining. Based on the amount of compromised workloads for cryptocurrency mining, 100% CPU utilization can increase the expenses by up to 600% with on-demand pricing, and this can scale and increase quickly. Therefore, it is important to thoroughly investigate any significant increase in monthly cloud costs.

The struggle for control of a victim’s servers “is a primary driving force for the advancement of these groups’ tools and strategies, motivating them to continuously improve their ability to remove competitors from compromised systems while simultaneously resisting their own removal.”

 

Recommendations

Companies should keep a close eye on their GitHub Actions for any indications of abuse. It’s crucial to identify potential exploits as soon as feasible in a cloud environment before the threat actors can do too much harm. Additionally, make sure GHA is free of any cryptocurrency wallets