Criminals have abused the free cloud accounts of CI/CD providers to mine cryptocurrency, but the threat campaign contains more than meets the eye, experts have warned.
Sysdig cybersecurity researchers discovered more than 30 GitHub accounts, 2000 Heroku accounts, and 900 Buddy accounts abused in an activity known as "freejacking." The researchers called the campaign Purpleurchin, describing it as an attempt to run cryptominers "in as many environments as possible, with as little scrutiny as possible."
By using free accounts, the cost of cryptocurrency mining (which is always relatively high) is passed on to the service provider (in this case, GitHub, Heroku, and Buddy).
great harm
After analyzing the campaign, Sysdig researchers estimated that each free GitHub account created by Purpleurchin costs the platform €15 per month. All things considered, it would cost the platform around €100,000 for the threat actor to mine a Monero token (a token is currently worth around €150).
But the attackers are not mining Monero yet. In fact, they try to mine a bunch of unknown coins, including Tidecoin, Onyx, Surgarchain, Sprint, Yenten, Arionum, MintMe, and Bitweb. Apparently, the entire campaign is unprofitable.
This has led researchers to believe that this is all still just an experiment or an attempt to support the underlying blockchains.
If it's an experiment, the threat actors are simply testing it to see if the method works, before moving on to larger tokens (like bitcoin or monero). With respect to blockchain attack, an entity can take over Proof-of-Work networks (in which coins can be "mined", as opposed to Proof-of-Stake coins which are all pre-mined) if you can have 51%+ of the hash power (mining power). This would give that entity the ability to roll back the blockchain, double-spend, etc. However, this would also cause the price of the token to drop.
The addresses to which the miners should send the mined tokens are hidden, making it impossible to determine the success of the campaign or identify the attackers.
Via: BleepingComputer (Opens in a new tab)