The Sysdig Threat Research Team uncovered PurpleUrchin, a large-scale cryptomining operation exploiting free continuous integration and deployment service accounts.
This is why we can’t have nice things.with lots of clouds Continuous integration/deployment (CI/CD) providers such as buddy works, GitHub, and Heroku offer free services. But now, in a massive new case of freejack, Sysdig Threat Research Team (Sysdig TRT) We found an attacker using over 1 million free serverless function calls such as GitHub Actionsto run huge automated cryptocurrency mining operations, purple sea urchin.
shear scale
“Freejack”? It’s a new name for an old technique of exploiting free service offerings. In this case, free up computing resources. What makes PurpleUrchin different is its scale. Instead of setting up a handful of free accounts, this highly obfuscated multi-level attack creates new accounts all the time, regularly rotating his CI/CD accounts across multiple platforms, while maintaining over 130 Plant a Docker Hub image of In all, we discovered over 30 GitHub accounts, 2,000 Heroku accounts, and 900 Buddy-infected accounts. Attackers are targeting multiple platforms at the same time and seem to be constantly looking for others.
These free attacks can be added instantly. For example, GitHub offers 2,000 free minutes of his GitHub Actions each month. For PurpleUrchin, each account adds approximately 33 hours of free runtime.
Of course, there is no such thing as a free lunch (TANSTAAFL). In this case, it is the provider who pays the cost. Sysdig TRT estimates that for each “free” PurpleUrchin GitHub account he costs GitHub $15 per month. Free tier accounts from other service providers are estimated to cost providers $7 to $10 per month. Left alone, the distressed provider could raise prices for legitimate customers to cover PurpleUrchin’s costs.
At first glance, it looks like the people behind PurpleUrchin are here for cryptocurrency mining. But oddly enough, PurpleUrchin owners are mining low-return cryptocurrencies, at least for now. Sysdig believes this could be a “low-risk, low-reward test” before PurpleUrchin’s controllers move to higher value coins like Bitcoin and Monero.
bigger and messier
But Sysdig also worries that PurpleUrchin is thinking of bigger, nastier things. They are afraid to pursue cryptocurrency verification blockchain mechanisms themselves.these are Proof of work algorithms are vulnerable to 51% attacks,
Normally, when a miner finds the correct hash combination, the newly mined block is added to the blockchain and validated by the crypto network, so the 51% attack can work. This approval occurs when a consensus is created by the network that the block is legitimate. However, if he manages the network because his 51% of the network is under his control, he can interfere with the immutability of the network. Once this is done, the PurpleUrchin controller can validate arbitrary transactions associated with attacker-controlled cryptocurrency wallets. In addition to being able to “counterfeit” coins, it is also possible to steal millions of dollars worth of cryptocurrency from other miners, block other users’ transactions, or even reverse them and use the same cryptocurrency again. There is a nature. double spending.
This is not just a theoretical vulnerability. In 2019, Successful 51% Attack on Ethereum Classic BlockchainBitcoin can be difficult due to its large size, but it is relatively easy to do with smaller, smaller coins.
Wonder what I have? No trust in cryptocurrencies?
Wait a second! There are more!
Sysdig is also concerned that this “large-scale operation could act as a decoy for other malicious activity.” 2020, APT32 (Bismuth, OceanLotus) deployed cryptocurrency mining operations in the victim’s network to evade detection in concurrent cyber espionage campaigns.
they might be working on something. PurpleUrchin goes far beyond the normal run of crypto scammers. The scope and volume of its attacks suggest that there may be a state or major criminal organization behind it.
Sysdig concludes: as we all do.
