GitHub Server Infrastructure Abused In Relentless Crypto-Mining Attack

hero 2 github cloud infrastructure used for cyrptocurrency mining by cybercriminals
Late last month, we reported on a trend of rising cybersecurity incidents worldwide that could lead to the end of some businesses. Now, the latest cyberattack victim is Microsoft-owned GitHub, with reports of cybercriminals leveraging GitHub cloud infrastructure to mine cryptocurrency.

Since at least the Fall of 2020, attackers have been abusing a feature called GitHub Actions, which lets users automate tasks and workflows once an event happens within a repository. Once triggered, GitHub Actions can spool up a VM or a container to typically test out code in a live environment. In a phone call to The Record, Dutch security engineer Justin Perdok explained that “at least one threat actor is targeting GitHub repositories where GitHub Actions might be enabled.”

github cloud infrastructure used for cyrptocurrency mining by cybercriminals justin perdok

The attack works by forking, or copying, legitimate code from a GitHub repository and then adding malicious content. Once the content is embedded into the copy, the cybercriminal would then make a Pull Request to merge the code back with the original. Interestingly, the attack does not rely on the Pull Request being approved, but just making the request is enough according to Perdok.

github cloud infrastructure used for cyrptocurrency mining by cybercriminals justin perdok 2

The attackers specifically target repositories with automated workflows that test incoming pull requests via the automated jobs with GitHub Actions. When the malicious Pull Request is filed, GitHub spins up a VM for the request to “test” the code, which now includes a cryptocurrency miner which will run on GitHub’s infrastructure indefinitely in theory. Perdok also stated that he had projects abused this way and has also seen “attackers spin up to 100 crypto-miners via one attack alone, creating huge computational loads for GitHub’s infrastructure.”

In an email, GitHub explains that it “aware of this activity and are actively investigating,” and has been doing so since last year when the attack was first reported. This is likely a rather difficult issue to fix without changing how GitHub Actions works. Moreover, if you ban accounts, new ones crop up almost immediately. In any case, we will have to see how GitHub properly responds to this security incident, so stay tuned to HotHardware for updates.

(Images courtesy of The Record and Justin Perdok)