IT security researchers at Sysdig have spotted a crypto miner campaign that relies exclusively on free trial accounts from cloud providers. Thus cybercriminals get free access to resources for mining cryptocurrencies. But the masterminds behind the “Purple Urchin” campaign may pursue more far-reaching goals as well.
free developer resources
Cloud providers usually give developers free access to their cloud resources for advertising and testing purposes. Although there are usually limitations, container or operating system images can still be started and the computing time used up in them. To protect themselves from crooks and rogues, providers try to prevent automatic account creation, for example the need to store CAPTCHA or valid credit card information.
Despite this, the cybercriminals behind Purple Urchin have the automatism that allows them to create mass accounts. A network of such crypto mining images connects to a central command and control server, explained. Sysdig in detail,
Most virtual machines run from providers GitHub, Heroku, and Buddy.works. Sysdig has identified 30 GitHub accounts, 2000 Heroku accounts, and 900 Buddy accounts as part of the Purple Urchin campaign. Accounts will be blocked repeatedly, but masterminds will continually open new accounts and integrate them back into the crypto mining network.
The motive behind the action is almost certainly money. Therefore, malicious actors run more and more crypto miners, which have a lot of automation. By abusing the free trial offer, they shift the costs onto the providers. However, they could pursue other goals as well.
intent of cyber gangsters
Currently, found containers are only mining cryptocurrencies with low profit margins. Sysdig suspects that this may only be a test before switching to a more valuable cryptocurrency. However, it could also be a preparation for attacks on the underlying blockchain, as the mining network can handle more than 51 percent of the proof of work. It can be used to validate any transaction related to cyber gangsters crypto wallet. But it can also be a camouflage to distract from spying activities going on in the background.
Some details of the operation suggest that it was an elaborate operation. The masterminds update only two to six of the 130 Docker images at a time so as not to attract attention. The GitHub repository is used by cybercriminals to launch Docker images within two days of creation. There were more ups and downs here. Sysdig estimates that either the free quota — “only” 33 hours of computing time free — was used or that GitHub blocked the offending accounts. Discussing Sysdig, the damage is estimated at around US$103,000 for GitHub alone.
In the Sysdig analysis, IT researchers discuss technical details about the various containers, their exact purposes, and the VPN connections used. There are also signs of malicious activity, such as github usernames, crypto wallets that have emerged and the IP addresses of command and control servers.
Even if personally used virtual machines don’t fraudulently cost the provider much and don’t bring cybercriminals much, that changes with scaling to several thousand machines. Hence crypto mining is one of the most important uses for cloud intruders. For example, Google has introduced crypto miner protection to its cloud offerings.
Freelance twitter maven. Infuriatingly humble coffee aficionado. Amateur gamer. Typical beer fan. Avid music scholar. Alcohol nerd.