Threat Watch

Attackers Utilize GitHub’s CI/CD Actions Features

Recently, attackers have been utilizing the continuous integration/continuous delivery (CI/CD) features on GitHub (GitHub Actions) to merge unauthorized cryptocurrency miners into repositories. The attackers will fork a repository, include the miner, then create a massive number of pull requests for all of the originating repositories with the included miner code. The attackers are using the Monero miner XMRig and a miner known as npm.exe (no relation to Node.js). As of right now, 90+ known repositories are being targeted, but its effectiveness has yet to be seen as diligent repository maintainers will know something suspicious is occurring by carefully checking the details of code changes in pull requests before accepting them.

ANALYST NOTES

As mentioned before, the scope of how effective the attackers were in mining has yet to be determined. Bleeping Computer’s coverage has not yet included the dollar amount that the miners have generated so far. As threat actors include automation into their toolbox, these kinds of situations will grow beyond simple mining operations. Suppose an organization utilizes GitHub to maintain an open-source project. In that case, the maintainers must keep a close eye on what is being included in the pull requests to avoid attacks such as these.

Reference:
https://www.bleepingcomputer.com/news/security/github-actions-being-actively-abused-to-mine-cryptocurrency-on-github-servers/

Justin Perdok – Twitter