In a massive campaign of ‘freejacking’, threat actors are illicitly exploiting free online services – such as Github, Heroku and Buddy — in order to conduct cryptocurrency mining. The threat actor in this campaign is known as Purpleurchin, and has been observed performing millions of function calls every day using hundreds to thousands of free accounts for each service.
The threat actor automates the creation of accounts, the set-up of a unique VPN IP Address for each account created to evade detection, and creation of GitHub workflows. Afterwards, an automation script launches 30 instances of docker images containing cryptomining software for each action in the GitHub workflow.
The miner appears to be mining cryptocurrency from various pools, including Tidecoin, Onyx, Surgarchain, Sprint, Yenten, Arionum, MintMe, and Bitweb. It also uses Stratum, a custom mining protocol relay, to obfuscate mining network activity.
While this campaign targets free services, Binary Defense researchers have observed an uptick in the number of compromises of cloud services like AWS or Azure to mine cryptocurrency. These attacks are effectively theft and can leave organizations with a large bill.
For example, a developer in Seattle incurred a bill for over $53,000 which was normally a $100-$150 per month. In another case, a California College student was sent a bill for $55,000.
It is highly recommended to adopt complex passwords that are unique to each application and account, and to also adopt two-factor authentication. Additionally, organizations can monitor their cloud expenses and be warned of such attacks by setting up billing alarms (for example, in AWS): https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/monitor_estimated_charges_with_cloudwatch.html