The administrators of the code hosting platform GitHub, are actively investigating a series of attacks on their cloud infrastructure, since this type of attack allowed hackers to use the company's servers to carry out illicit mining operations of cryptocurrencies.
And it is that during the third quarter of 2020, these attacks were based on making use of a GitHub feature called GitHub Actions which allows users to start tasks automatically after a certain event from their GitHub repositories.
To achieve this exploit, hackers took control of a legitimate repository by installing malicious code in the original code on GitHub Actions and then make a pull request against the original repository to merge the modified code with the legitimate code.
As part of the attack on GitHub, security researchers reported that hackers could run up to 100 cryptocurrency miners in a single attack, creating huge computational loads on the GitHub infrastructure. So far, these hackers appear to operate randomly and on a large scale.
Research has revealed that at least one account executes hundreds of update requests that contain malicious code. Right now, the attackers don't appear to be actively targeting GitHub users, instead focusing on using GitHub's cloud infrastructure to host crypto mining activity.
Dutch security engineer Justin Perdok told The Record that at least one hacker is targeting GitHub repositories where GitHub actions could be enabled.
The attack involves forking a legitimate repository, adding malicious GitHub actions to the original code, and then submitting a pull request with the original repository to merge the code with the original.
The first case of this attack was reported by a software engineer in France in November 2020. Like its reaction to the first incident, GitHub stated that it is actively investigating the recent attack. However, GitHub seems to come and go in the attacks, as hackers simply create new accounts once the company detects and deactivates the infected accounts.
In November last year, a team of Google IT security experts tasked with finding 0-day vulnerabilities exposed a security flaw in the GitHub platform. According to Felix Wilhelm, the Project Zero team member who discovered it, the flaw also affected the functionality of GitHub Actions, a tool to automate developers' work. This is because Actions workflow commands are "vulnerable to injection attacks":
Github Actions supports a feature called workflow commands as a communication channel between the Action broker and the action that is being carried out. Workflow commands are implemented in runner / src / Runner.Worker / ActionCommandManager.cs and work by parsing STDOUT of all actions performed for one of the two command markers.
GitHub Actions is available on GitHub Free, GitHub Pro, GitHub Free for Organizations, GitHub Team, GitHub Enterprise Cloud, GitHub Enterprise Server, GitHub One, and GitHub AE accounts. GitHub Actions is not available for private repositories owned by accounts using older plans.
Cryptocurrency mining activity is usually hidden or run in the background without administrator or user consent. There are two types of malicious crypto mining:
- Binary mode: they are malicious applications downloaded and installed on the target device with the aim of mining cryptocurrencies. Some security solutions identify most of these applications as Trojans.
- Browser mode - This is malicious JavaScript code embedded in a web page (or some of its components or objects), designed to extract cryptocurrency from site visitors' browsers. This method called cryptojacking has been increasingly popular among cybercriminals since mid-2017. Some security solutions detect most of these cryptojacking scripts as potentially unwanted applications.