Sysdig IT security researchers have observed a crypto mining campaign that relies specifically on free test accounts from cloud service providers. This is how cybercriminals get free cryptocurrency mining resources. But the masterminds behind the “Purple Hedgehog” campaign can also pursue far-reaching goals.
Free developer resources
Cloud providers typically offer developers free access to their cloud resources for advertising and testing purposes. Although there are usually limitations, containers or OS images can still be started and computing time can be used in them. In order to protect themselves from fraudsters and fraudsters, service providers try to prevent automated account creation, for example by using a captcha or a requirement to store valid credit card information.
Despite this, the cybercriminals behind Purple Urchin have mechanisms that allow them to create group accounts. This crypto mining photo network is connected to a central command and control server, Sysdig explains in a detailed description.
Most VMs work from GitHub, Heroku, and Buddy.works providers. Sysdig identified 30 GitHub accounts, 2,000 Heroku accounts, and 900 Buddy accounts as part of the Purple Urchin campaign. Accounts will be banned again and again, but the masterminds are constantly opening new accounts and merging them back into the crypto-mining network.
The motive behind the work is almost certainly money. Hence, malicious actors operate as many crypto-mining machines as possible, with a large degree of automation. By abusing the offers of free testing, they are shifting costs to the providers. However, they can also pursue other goals.
The motives of cyber gangsters
Currently, the found containers are only mining cryptocurrencies with low profit margins. Sysdig suspects that this can only be a test before switching to more valuable cryptocurrencies. However, they can also be preparations for attacks on the underlying blockchain, where the mining network can do more than 51% of the Proof of Work. This can be used to validate any transactions related to the crypto wallets of the cyber gangsters. But it can also be a disguise to distract from the spying activities running in the background.
Some details of the operation indicate that it was an elaborate campaign. The masterminds only update two to six of Docker’s 130 images at a time so as not to attract attention. Cybercriminals use GitHub repositories to release Docker images within two days of their creation. Higher volatility is observed here. Sysdig estimates that free quotas have been used – there are “only” 33 hours of free computing time – or that GitHub has banned abusive accounts. The damage is estimated at around $103,000 for GitHub alone, Sysdig discusses.
In Sysdig’s analysis, IT researchers discuss technical details about the various containers, their exact purposes, and the VPN connections used. There are also indications of malicious activity, such as Github usernames, crypto wallets that have appeared, and IP addresses of command and control servers.
Even if fraudulently used virtual machines do not cost the provider much and do not bring much to cybercriminals, this changes with the expansion to several thousand devices. So cryptocurrency mining remains one of the most important uses for cloud hackers. So, Google, for example, has introduced cryptocurrency protection for its cloud offerings.
(DMK)
