Criminals have been abusing free cloud accounts on CI/CD providers to mine cryptocurrencies, but the threat campaign holds more than meets the eye, experts have warned.
Cybersecurity researchers from Sysdig uncovered more than 30 GitHub accounts, 2,000 Heroku accounts, and 900 Buddy accounts abused in an activity known as “freejacking” (hijacking free accounts). The researchers dubbed the campaign Purpleurchin, and describe it as an attempt to run cryptominers “in as many environments as possible, as hands off as possible”.
By using free accounts, the cost of mining cryptocurrencies (which is always relatively high) is shifted to the service provider (in this instance, GitHub, Heroku, and Buddy).
After analyzing the campaign, Sysdig’s researchers estimated that every free GitHub account created by Purpleurchin cost the platform $15 a month. All things considered, it would cost the platform some $100,000 for the threat actor to mine one Monero token (one token is currently worth approximately $150).
But the attackers are not mining Monero just yet. They’re actually trying to mine a bunch of obscure coins, including Tidecoin, Onyx, Surgarchain, Sprint, Yenten, Arionum, MintMe, and Bitweb. Apparently, the entire campaign is hardly profitable.
This has prompted the researchers to believe that all of this is either still an experiment or an attempt to take over the underlying blockchains.
If it’s an experiment, the threat actors are just testing it out to see if the method works, before moving on to more prominent tokens (such as bitcoin or monero). As for attacking the blockchain – proof-of-work networks (on which coins can be “mined”, as opposed to proof-of-stake coins that are all pre-mined) can be taken over by an entity if it can hold 51%+ of the hash power (mining power). That would give that entity the ability to roll the blockchain back, engage in double-spending, and similar. It would also run the token’s price into the ground, though.
The addresses to which the miners should send the mined tokens are hidden, making it impossible to determine the success of the campaign, or identify the attackers.
Via: BleepingComputer (opens in new tab)