Researchers on Thursday showed just how fast today’s threat actors are moving to the cloud by reporting that Automated Libra, the South African threat group behind the freejacking campaign PurpleUrchin, created more than 130,000 user accounts on various platforms, including Heroku, Togglebox, and GitHub to conduct crytpomining operations.
In a blog post, Unit 42 researchers from Palo Alto Networks said in collecting more than 250 gigabytes of container data created by PurpleUrchin, they discovered that the threat actors behind the campaign created three to five GitHub accounts every minute during the peak of the operation in November 2022. They also found that some of the automated account creation cases bypassed CAPTCHA images using simple image analysis techniques.
The Unit 42 researchers said the threat actors conducted cryptomining via a tactic called freejacking, where the threat actors leverage cloud platforms offering limited-time trials of cloud resources. They more than likely created fake accounts with stolen or fake credit cards.
With the free trials, the researchers said the threat actors leveraged DevOps automation techniques such as continuous integration and continuous development (CI/CD). They got the most of these DevOps techniques by containerizing user account creations on cloud platforms and then automating their cryptomining operations.
Automation designed for developers to build and operate at scale can just as easily be used to scale information security attacks, said Aakash Shah, co-founder and CTO at oak9. Shah said it’s not just development teams that are taking advantage of automation like infrastructure-as-code, this research shows that even attackers are getting sophisticated and leveraging automation to scale and move with velocity — and they are leaving cloud service providers and enterprises with the bill.
“The dichotomy of CTOs struggling to accelerate their cloud and infrastructure-as-code adoption and attackers able to adopt these technologies faster for malicious activities is quite apparent here,” said Shah. “These attackers were able to use infrastructure-as-code to automate their entire attack chain to scale out a form of cryptojacking attacks. It is definitely time to update the MITRE ATT&CK framework with new attacker behaviors. CI/CD vendors and cloud service providers really need to take note here as they will be left with the costs, not to mention the reputational damage.”
Crane Hassold, director of threat intelligence at Abnormal Security, said while the tactics described in the Unit 42 report rely on creating a large number of fake accounts and exploiting free trials, the same techniques could be used to leverage resources in an organization's compromised cloud environment to accomplish the same goals.
“This is one of the reasons cloud credentials are so valuable in today’s underground cybercrime economy,” said Hassold. “They can be exploited in dozens of different ways.”
Dan Benjamin, co-founder and CEO at Dig Security, added that threat actors are becoming increasingly aggressive in the ways they target cloud resources. The Unit 42 report indicates a concerning pattern that has emerged as more business take to the cloud, said Benjamin.
“The theft of cloud resources are just the tip of the iceberg,” said Benjamin. “As these hacking groups are emboldened by their growing success, we should expect to see more direct theft of key assets that reside in the cloud, for example company and/or customer data. While freejacking may, on its surface, seem like a victimless crime, these patterns of abuse could have serious downstream consequences if they start to target paid enterprises that rely on cloud infrastructure for operations and data storage.”