Cloud-Based Cryptocurrency Miners

The GitHub Actions as well as the Azure VMs are constantly being targeted by threat actors for the purpose of mining cryptocurrency in the cloud.

The exploitation of cloud resources for illicit purposes is a sustained attempt by malicious actors on the part of cloud service providers. 

A branch of the GitHub Actions platform, known as GHAs for short, enables users to do the following things:- 

  • Automate the software build
  • Test the software build
  • Deployment of the pipeline by leveraging CI and CD

Cryptocurrency miners

Virtual machines named Standard_DS2_v2 are used to host the Linux and Windows runners in Azure. There are two virtual CPUs and 7GB of memory available to both Linux and Windows runners.

The cybersecurity researchers at Trend Micro have discovered more than 550 code samples and around 1,000 repositories that contain malware. In addition to this, threat actors have also made use of the Linux and Windows runners that are offered by GitHub to mine cryptocurrencies for a profit.

This issue has been reported to Microsoft’s code hosting service, which is part of the Microsoft Corporation. 

A similar script that contains commands to mine Monero coins was found in 11 repositories that contained similar variations of a YAML script.

It appears that all of these have been done using the same wallet, which suggests that it is either the work of one individual or a group of individuals that have worked together.

Cloud deployments are known to be infiltrated by cryptojacking groups by exploiting a security flaw within the target systems in order to gain access to cloud services.

The threat actors focus on exploits such as:-

  • Unpatched vulnerability
  • Weak/Common credentials
  • Misconfigured cloud implementation

Prominent illegal miners

The illegal cryptocurrency mining landscape is dominated by a number of prominent actors, including those listed below:-

  • 8220
  • Keksec (aka Kek Security)
  • Kinsing
  • Outlaw
  • TeamTNT

It should also be noted that the malware toolset also features kill scripts as part of its capabilities. This is a kind of script that is used to terminate all competing cryptocurrency mining applications and delete them. 

As a result, threat actors will be able to exploit cloud systems in order to carry out their illicit tasks. Trend Micro describes it as a war between attackers and victims, which is waged in order to control the resources of the victim.

In addition to incurring a lot of infrastructure and energy costs, the deployment of cryptominers also represents a bad security hygiene standard.

Threat actors can use the breach of a cloud misconfiguration to gain an initial level of access to a cloud that can then be weaponized for more damaging purposes.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.