Cloud-based cryptocurrency miners targeting GitHub stocks and Azure virtual machines

GitHub shares and Azure virtual machines (VMs) are being exploited for cloud-based cryptocurrency mining, indicating continued attempts by malicious actors to attack cloud resources for illegal purposes.

“Attackers can take advantage of the runners or servers provided by GitHub to manage an organization’s pipelines and automation by maliciously downloading and installing their own cryptocurrency miners to easily make a profit,” said Magno Logan, a researcher at Trend Micro last week in a report.

GitHub Actions (GHA) is a continuous integration and delivery (CI/CD) platform that enables users to automate the pipeline for building, testing, and deploying software. Developers can use the feature to create workflows that create and test each pull request to a code repository, or to deploy aggregated pull requests to production.

To advertise

Linux and Windows runners are hosted on Standard_DS2_v2 virtual machines on Azure and come with two vCPUs and 7 GB of memory.

The Japanese company said it has identified no fewer than 1,000 repositories and more than 550 code samples that take advantage of the platform to mine cryptocurrency using runners provided by GitHub, which has been notified of the issue.

In addition, 11 repositories hosted similar variants of a YAML script with commands to mine Monero coins, all of which were based on the same wallet, suggesting that this is either the work of a single actor, or a group working together.

“As long as malicious actors only use their own accounts and repositories, end users need not worry,” Logan said. “Problems arise when these GHAs are shared on GitHub Marketplace or used as dependencies for other actions.”

Cloud-based cryptocurrency miner

Cryptojacking-oriented groups have been known to infiltrate cloud deployments by exploiting a vulnerability in target systems, such as an unpatched vulnerability, weak credentials, or misconfigured cloud deployment.

Some of the prominent players in the illegal cryptocurrency mining landscape include 8220, Keksec (aka Kek Security), Kinsing, Outlaw, and TeamTNT.


The malware toolset is also characterized by the use of kill scripts to terminate and remove competing cryptocurrency miners in order to make the most of cloud systems for their own benefit. Trend Micro called it a battle “fought for control of the victim’s resources”.

That said, in addition to incurring infrastructure and energy costs, the deployment of cryptominers is also a barometer of poor security hygiene, allowing threat actors to weaponize the initial access gained by misconfiguring the cloud for much more malicious purposes, such as data. -exfiltration or ransomware .

“A unique look […] is that groups with bad actors should not only manage a target organization’s security systems and personnel, but also compete for limited resources,” the company said. this has been noted in an earlier report.

“The struggle to gain and maintain control of a victim’s servers is a major driver of the evolution of these groups’ tools and techniques, continuously improving their ability to eliminate competitors from compromised systems while simultaneously resisting to offer their own move. †

Leave a Comment