D2
Администратор
- Регистрация
- 19 Фев 2025
- Сообщения
- 4,380
- Реакции
- 0
By Ax Sharma April 3, 2021 05:49 AM
GitHub Actions has been abused by attackers to mine cryptocurrency using GitHub's servers in an automated attack.
GitHub Actions is a CI/CD solution that makes it easy to automate all your software workflows and setup periodic tasks.
The particular attack adds malicious GitHub Actions code to repositories forked from legitimate ones, and further creates a Pull Request for the original repository maintainers to merge the code back, to alter the original code.
But, an action is not required by the maintainer of the legitimate project for the attack to succeed.
BleepingComputer also observed the malicious code loads a misnamed cryptominer npm.exe from GitLab and runs it with the attacker's wallet address.
Repositories use GitHub Actions to facilitate CI/CD automation and scheduling tasks.
However, this particular attack abuses GitHub's own infrastructure to spread malware and mine cryptocurrency on their servers.
The attack involves first forking a legitimate repository that has GitHub Actions enabled.
It then injects malicious code in the forked version, and files a Pull Request for the original repository maintainers to merge the code back.
A screenshot shared by Perdok showed at least 95 repositories targeted by the threat actor:
But, in an unexpected twist, the attack does not need the maintainer of the original project to approve the malicious Pull Request.
Perdok says that merely filing the Pull Request by the malicious attacker is enough to trigger the attack.
As soon as a Pull Request is created for the original project, GitHub's systems would execute the attacker's code which instructs GitHub servers to retrieve and run a cryptominer.
Misnamed cryptominer "npm.exe" hosted on GitLab
But this npm.exe has nothing to do with the offiical NodeJS installers or Node Package Manager (npm). It is a known cryptominer.
As analyzed by BleepingComputer, the attacker launches npm.exe cryptominer passing their wallet address as an argument, shown in bold below:
Код: Скопировать в буфер обмена
In test runs by BleepingComputer, the EXE connected to the turtlecoin.herominers.com cryptocurrency pool and began its coin-mining activities:
Malicious npm.exe conducts cryptomining activities via attacker-provided arguments and wallet address
Source: BleepingComputer
GitHub stated to The Record that they were aware of this activity, which was being actively investigated.
This isn't the first time an attack leveraging GitHub infrastructure has abused GitHub Actions.
Previously, another programmer Yann Esposito had described an identical attack in which an attacker had filed a malicious Pull Request against Esposito's GitHub project.
Last year, BleepingComputer also reported on GitHub being abused to host a wormable botnet Gitpaste-12 which returned the following month with over 30 exploits.
But, unlike Gitpaste-12 or the Octopus Scanner malware that targeted vulnerable projects and devices, as of now, this particular attack seems to be solely abusing GitHub servers for its cryptomining tasks.
Thanks to ANY.RUN for malware analysis VM access.
https://www.bleepingcomputer[.]com/news/security/automated-attack-abuses-github-actions-to-mine-cryptocurrency/
GitHub Actions has been abused by attackers to mine cryptocurrency using GitHub's servers in an automated attack.
GitHub Actions is a CI/CD solution that makes it easy to automate all your software workflows and setup periodic tasks.
The particular attack adds malicious GitHub Actions code to repositories forked from legitimate ones, and further creates a Pull Request for the original repository maintainers to merge the code back, to alter the original code.
But, an action is not required by the maintainer of the legitimate project for the attack to succeed.
BleepingComputer also observed the malicious code loads a misnamed cryptominer npm.exe from GitLab and runs it with the attacker's wallet address.
Forks legitimate code, adds cryptominer and merges it back
This week according to a Dutch security engineer security engineer Justin Perdok, attackers have targeted GitHub repositories that use GitHub Actions to mine cryptocurrency.Repositories use GitHub Actions to facilitate CI/CD automation and scheduling tasks.
However, this particular attack abuses GitHub's own infrastructure to spread malware and mine cryptocurrency on their servers.
The attack involves first forking a legitimate repository that has GitHub Actions enabled.
It then injects malicious code in the forked version, and files a Pull Request for the original repository maintainers to merge the code back.
A screenshot shared by Perdok showed at least 95 repositories targeted by the threat actor:
But, in an unexpected twist, the attack does not need the maintainer of the original project to approve the malicious Pull Request.
Perdok says that merely filing the Pull Request by the malicious attacker is enough to trigger the attack.
As soon as a Pull Request is created for the original project, GitHub's systems would execute the attacker's code which instructs GitHub servers to retrieve and run a cryptominer.
Cryptominer npm.exe downloaded from GitLab
The automated code invoked by the malicious Pull Request instructs GiHub server to download a cryptominer hosted on GitLab which is mislabeled npm.exe.Misnamed cryptominer "npm.exe" hosted on GitLab
But this npm.exe has nothing to do with the offiical NodeJS installers or Node Package Manager (npm). It is a known cryptominer.
As analyzed by BleepingComputer, the attacker launches npm.exe cryptominer passing their wallet address as an argument, shown in bold below:
Код: Скопировать в буфер обмена
Код:
npm.exe --algorithm argon2id_chukwa2
--pool turtlecoin.herominers.com:10380
--wallet TRTLv3ZvhUDDzXp9RGSVKXcMvrPyV5yCpHxkDN2JRErv43xyNe5bHBaFHUogYVc58H1Td7vodta2fa43Au59Bp9qMNVrfaNwjWP
--password xoIn test runs by BleepingComputer, the EXE connected to the turtlecoin.herominers.com cryptocurrency pool and began its coin-mining activities:
Malicious npm.exe conducts cryptomining activities via attacker-provided arguments and wallet address
Source: BleepingComputer
GitHub stated to The Record that they were aware of this activity, which was being actively investigated.
This isn't the first time an attack leveraging GitHub infrastructure has abused GitHub Actions.
Previously, another programmer Yann Esposito had described an identical attack in which an attacker had filed a malicious Pull Request against Esposito's GitHub project.
Last year, BleepingComputer also reported on GitHub being abused to host a wormable botnet Gitpaste-12 which returned the following month with over 30 exploits.
But, unlike Gitpaste-12 or the Octopus Scanner malware that targeted vulnerable projects and devices, as of now, this particular attack seems to be solely abusing GitHub servers for its cryptomining tasks.
Thanks to ANY.RUN for malware analysis VM access.
https://www.bleepingcomputer[.]com/news/security/automated-attack-abuses-github-actions-to-mine-cryptocurrency/