Purpleurchin Cryptocurrency Miners Scouring free GitHub, Heroku accounts

[upnorth]

Content source

https://www.theregister.com/2022/10/27/purpleurchin_cryptomining_github_accounts/

A stealthy cryptocurrency mining operation has been spotted using thousands of free accounts on GitHub, Heroku and other DevOps outfits to craft digital tokens. GitHub, for one, forbids the mining of coins using its cloud resources.

The Sysdig Threat Research Team said at Kubecon this week it uncovered the activity, dubbed Purpleurchin. Specifically, the researchers found more than 30 GitHub, 2,000 Heroku, and 900 Buddy devops accounts – plus accounts with other cloud and continuous integration and deployment (CI/CD) service providers – being abused to quietly power Purpleurchin's crypto-asset-generating operations. While scouring cloud compute resources to mine coins isn't a new tactic – and usually against the terms of service – the people behind this particular endeavor employed a number of sophisticated automation and obfuscation techniques, we're told.

Sysdig estimated each of those 30 free GitHub accounts cost the Microsoft-owned giant $15 per month, and the free tier accounts from Heroku, Buddy and others cost providers between $7 and $10 per month. "At these rates, it would cost a provider more than $100,000 for a threat actor to mine one Monero (XMR)," Sysdig researcher Crystal Morin claimed. One XMR is worth $146 right now.

Purpleurchin: Cryptocurrency miners scour GitHub, Heroku

This is why we can't have nice things

www.theregister.com

 

[upnorth]

More information has become available on "PurpleUrchin," a malicious campaign in which a threat group called Automated Libra is using DevOps and continuous integration/continuous deployment (CI/CD) practices to mine cryptocurrency on cloud platforms using free trial accounts.

The campaign began in August 2019 and has mainly targeted platforms such as GitHub, Heroku, and ToggleBox. Security vendor Sysdig first reported on the campaign last October. This week, Palo Alto Networks' Unit 42 threat hunting team provided fresh insight on the campaign based on a recent analysis of the threat group's activities - and noted that while cryptomining is the game now, the infrastructure could be used to deliver much worse threats down the road.

Unit 42's research showed that Automated Libra has so far created some 180,000 free trial accounts on various cloud platforms - substantially more than Sysdig had initially reported - using an automated container-based approach for spinning them up. At its peak last November, Automated Libra was creating between three and five new accounts on GitHub every minute. Sysdig previously had estimated that the coin-mining activity via free trial accounts was costing GitHub some $100,000 in lost revenue per user account.

PurpleUrchin Gang Embraces DevOps in Massive Cloud Malware Campaign

The Automated Libra group is deploying all components of its campaign in an automated manner via containers, stealing free trial resources for cryptomining, but the threat could get larger.

www.darkreading.com