Cloud-based Cryptocurrency Miners Targeting GitHub Actions and Azure VMs

Cyber Security

GitHub Actions and Azure virtual machines (VMs) are being leveraged for cloud-based cryptocurrency mining, indicating sustained attempts on the part of malicious actors to target cloud resources for illicit purposes.

“Attackers can abuse the runners or servers provided by GitHub to run an organization’s pipelines and automation by maliciously downloading and installing their own cryptocurrency miners to gain profit easily,” Trend Micro researcher Magno Logan said in a report last week.

GitHub Actions (GHAs) is a continuous integration and continuous delivery (CI/CD) platform that allows users to automate the software build, test, and deployment pipeline. Developers can leverage the feature to create workflows that build and test every pull request to a code repository, or deploy merged pull requests to production.

Both Linux and Windows runners are hosted on Standard_DS2_v2 virtual machines on Azure and come with two vCPUs and 7GB of memory.

The Japanese company said it identified no fewer than 1,000 repositories and over 550 code samples that are taking advantage of the platform to mine cryptocurrency using the runners provided by GitHub, which has been notified of the issue.

What’s more, 11 repositories were found to harbor similar variants of a YAML script containing commands to mine Monero coins, all of which relied on the same wallet, suggesting it’s either the handiwork of a single actor or a group working in tandem.

“For as long as the malicious actors only use their own accounts and repositories, end users should have no cause for worry,” Logan said. “Problems arise when these GHAs are shared on GitHub Marketplace or used as a dependency for other Actions.”

Cryptojacking-oriented groups are known to infiltrate cloud deployments through the exploitation of a security flaw within target systems, such as an unpatched vulnerability, weak credentials, or a misconfigured cloud implementation.

Some of the prominent actors in the illegal cryptocurrency mining landscape include 8220, Keksec (aka Kek Security), Kinsing, Outlaw, and TeamTNT.

The malware toolset is also characterized by the use of kill scripts to terminate and delete competing cryptocurrency miners to best abuse the cloud systems to their own advantage, with Trend Micro calling it a battle “fought for control of the victim’s resources.”

That said, the deployment of cryptominers, besides incurring infrastructure and energy costs, are also a barometer of poor security hygiene, enabling threat actors to weaponize the initial access gained through a cloud misconfiguration for far more damaging goals such as data exfiltration or ransomware.

“One unique aspect […] is that malicious actor groups do not only have to deal with a target organization’s security systems and staff, but they also have to compete with one another for limited resources,” the company noted in an earlier report.

“The battle to take and retain control over a victim’s servers is a major driving force for the evolution of these groups’ tools and techniques, prompting them to constantly improve their ability to remove competitors from compromised systems and, at the same time, resist their own removal.”