Cloud computing has become an ever more present part of our day-to-day lives, but the risks of malware hosted on its platforms are as prevalent as any offline servers. Aqua Security’s cybersecurity research team, Team Nautilus, yesterday unveiled a resurgence in attacks against GitHub and Docker Hub, two large platforms that support cloud computing development, which place Monero cryptocurrency miners on the platform and execute them.
“This campaign shows the ever-growing sophistication of attacks targeting the cloud native stack,” says Assaf Morag of Aqua Security. “Bad actors are constantly evolving their techniques to hijack and exploit cloud compute resources for cryptocurrency mining. It also reminds us that developer environments in the cloud represent a lucrative target for attackers as usually they are not getting the same level of security scrutiny.”
Team Nautilus had previously uncovered a similar campaign in September 2020 that exploited the automated build processes on GitHub and Docker Hub to create miners that would benefit cyber criminals. When the issue was raised back then, both websites managed to intervene to stop the attacks proliferating.
Monero mining returns
Yet a similar threat vector appears to be a real risk to users of both websites. Within four days, Team Nautlius’s Aqua Dynamic Threat Analysis system detected 92 Docker Hub registries and 92 further Bitbucket repositories designed to harness the power of the cloud to mine cryptocurrency without being identified. All the miners were detected in a four-day period, showing the alarming potential scale of the problem if left unchecked.
“The adversaries create a continuous integration process that every hour initiates multiple auto-build processes, and on each build, a Monero cryptominer is executed.”
The accounts that hosted the miners were associated with burner email accounts created using free Russian email providers – potentially a clue to the origin of the accounts and the attack.
Those burner emails were then used to register a Bitbucket account that hid in plain sight. Each cryptominer was in fact presented as a legitimate project, with documentation that made it appear to be a prosperous, useful bit of code. It is, in fact, hiding a deep secret – it’s malware.
Docker Hub caught up in the con
From there, the proponents of the attacks create a Docker Hub account, developing several registries, each of which hides the malware while using the same trick as on Bitbucket: benign documentation belies the serious risk of the actual code it uses.
Each bit of code creates an image on the websites it is hosted on that hijacks cloud computing resources and diverts them to mine Monero. The goal is to try and strike it rich in the world of cryptocurrencies, mining enough coins to be able to make money. Monero has long been a source of ill-gotten gains among the cryptocurrency criminals of the world.
A 2019 analysis of the cryptocurrency found that one in 25 Monero coins was associated with illicit mining.
Previously, most of the miners were based on hijacking end user hardware, through browser extensions and malware installed on desktops and laptops without users knowing.
In all, millions of dollars of Monero have been minted in this way. But cybercriminals looking to profit from illicit mining appear to have changed their strategies, instead taking advantage of the existing cloud computing providers that host code that doesn’t require access to end user devices in order to try and silently harness processing power that can make them rich. “As always, we recommend that such environments have strict access controls, authentication, and least-privilege enforcement, but also continuous monitoring and restrictions on outbound network connections to prevent both data theft and resource abuse,” says Morag.