Criminals have been abusing free cloud accounts on CI/CD providers to mine cryptocurrencies, but the threat campaign holds more than meets the eye, experts have warned.
Cybersecurity researchers from Sysdig uncovered more than 30 GitHub accounts, 2,000 Heroku accounts, and 900 Buddy accounts abused in an activity known as “freejacking” (hijacking free accounts). The researchers dubbed the campaign Purpleurchin, and describe it as an attempt to run cryptominers “in as many environments as possible, as hands off as possible”.
By using free accounts, the cost of mining cryptocurrencies (which is always relatively high) is shifted to the service provider (in this instance, GitHub, Heroku, and Buddy).
After analyzing the campaign, Sysdig’s researchers estimated that every free GitHub account created by Purpleurchin cost the platform $15 a month. All things considered, it would cost the platform some $100,000 for the threat actor to mine one Monero token (one token is currently worth approximately $150).
But the attackers are not mining Monero just yet. They’re actually trying to mine a bunch of obscure coins, including Tidecoin, Onyx, Surgarchain, Sprint, Yenten, Arionum, MintMe, and Bitweb. Apparently, the entire campaign is hardly profitable.
This has prompted the researchers to believe that all of this is either still an experiment or an attempt to take over the underlying blockchains.
If it’s an experiment, the threat actors are just testing it out to see if the method works, before moving on to more prominent tokens (such as bitcoin or monero). As for attacking the blockchain - proof-of-work networks (on which coins can be “mined”, as opposed to proof-of-stake coins that are all pre-mined) can be taken over by an entity if it can hold 51%+ of the hash power (mining power). That would give that entity the ability to roll the blockchain back, engage in double-spending, and similar. It would also run the token’s price into the ground, though.
The addresses to which the miners should send the mined tokens are hidden, making it impossible to determine the success of the campaign, or identify the attackers.
- Here's our rundown of the best firewalls right now
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.