The hackers used the cloud-based GitHub infrastructure for hidden cryptocurrency mining. The cryptojacking attack has been carried out since the fall of 2020 and affected the functionality of GitHub Actions.
Code hosting service GitHub is investigating a series of attacks on its cloud infrastructure. These attacks allowed cybercriminals to use the company’s servers for covert cryptocurrency mining operations and were first discovered by a French software engineer last November.
The cryptojacking attack affected a GitHub functionality called GitHub Actions. This functionality allows users to automatically perform tasks and workflows that are triggered by a specific event that occurs within their repositories.
To launch cryptocurrency mining software, the attackers forked the existing repository, added the malicious GitHub Actions element to the source code, and then sent a Pull Request to the original repository to add the modified code back.
According to the Dutch security engineer Justin Perdok, the project owner did not need to approve the malicious merge request, because immediately after submitting it, GitHub systems read the attacker’s code and launch a virtual machine that downloads and runs cryptocurrency mining software.
He added that “Attackers are deploying up to 100 cryptocurrency miners in a single attack, creating huge computational loads for the GitHub infrastructure.”
The mining software included SRBMiner, software for mining multiple cryptocurrencies using graphics cards and processors. Apparently, the attackers did not try to harm the repositories, but only wanted to mine cryptocurrencies for free using GitHub servers.
Recall that Check Point’s January report notes the dominance of cryptojacking among cyberattacks and predicts an increase in the spread of software for hidden cryptocurrency mining in cloud infrastructures.