da masu gudanarwa na dandalin karɓar lambar GitHub, suna ci gaba da bincika jerin hare-hare akan abubuwan girgijen su, tunda irin wannan harin ya baiwa masu fashin baki damar amfani da sabobin kamfanin domin aiwatar da ayyukan hakar ma’adanai ba bisa ka’ida ba na cryptocurrencies.
Kuma wannan shine a lokacin kwata na uku na 2020, waɗannan hare-hare sun dogara ne akan yin amfani da fasalin GitHub da ake kira GitHub Actions wanda ke bawa masu amfani damar fara ayyuka ta atomatik bayan wani abu daga wuraren ajiyar su na GitHub.
Don cimma wannan amfani, 'yan fashin kwamfuta sun mallaki wurin ajiya na halal ta hanyar shigar da mummunar lamba a cikin lambar asali akan Ayyukan GitHub sannan a gabatar da bukatar neman janyewa daga asalin ma'ajiyar don hade lambar da aka gyara tare da ingantacciyar lambar.
A zaman wani bangare na harin da aka kai wa GitHub, masu binciken tsaro sun ba da rahoton cewa masu fashin kwamfuta za su iya gudu har zuwa masu hakar ma'adinai 100 a hari guda, ƙirƙirar manyan ɗimbin lissafi a kan kayayyakin GitHub. Ya zuwa yanzu, waɗannan haan fashin kwamfuta sun bayyana aiki bazuwar kuma a babban sikelin.
Bincike ya bayyana cewa aƙalla asusu ɗaya yana aiwatar da ɗaruruwan buƙatun sabuntawa waɗanda ke ƙunshe da mummunar lambar. A yanzu haka, maharan ba su bayyana kamar suna niyya ga masu amfani da GitHub ba, maimakon haka suna mai da hankali kan amfani da kayan girgijen GitHub don karɓar aikin hakar ma'adinai.
Injiniyan tsaro dan kasar Holland Justin Perdok ya fada wa Rikodin cewa akalla wani dan dandatsa ne yake niyya ga wuraren ajiya na GitHub inda za'a iya aiwatar da ayyukan GitHub
Harin ya shafi yin rajistar halattaccen wurin adanawa, da ƙara ayyukan GitHub na ɓarna a lambar asali, sannan gabatar da buƙatun neman janyewa tare da asalin ma'ajiyar don haɗa lambar da asalin.
Batun farko na wannan harin ya faru ne daga wani injiniyan software a Faransa a watan Nuwamba na 2020. Kamar yadda ta yi game da abin da ya faru na farko, GitHub ya bayyana cewa yana ci gaba da bincike kan harin na baya-bayan nan. Koyaya, GitHub kamar ya zo ya tafi cikin hare-haren, kamar yadda masu fashin kwamfuta ke ƙirƙirar sabbin asusu da zarar kamfanin ya gano kuma ya nakasa asusun.
A cikin watan Nuwamba na shekarar da ta gabata, ƙungiyar ƙwararrun masanan tsaro na Google IT waɗanda aka ɗorawa alhakin gano raunin kwanaki 0 sun fallasa matsalar tsaro a cikin tsarin GitHub. A cewar Felix Wilhelm, memba na Project Zero memba wanda ya gano shi, aibin kuma ya shafi ayyukan GitHub Actions, kayan aiki don sarrafa ayyukan masu haɓaka. Wannan saboda Abubuwan umarnin aiwatar da aiki suna "fuskantar haɗari ga harin allura":
Ayyukan Github suna tallafawa fasalin da ake kira umarnin aikin aiki azaman tashar sadarwa tsakanin Mai kulla yarjejeniya da aikin da ake aiwatarwa. Ana aiwatar da ƙa'idodin gudanawar aiki a cikin mai gudu / src / Runner.Worker / ActionCommandManager.cs kuma suna aiki ta hanyar bincika STDOUT na duk ayyukan da aka yi don ɗayan alamun umarni biyu.
Ayyukan GitHub suna samuwa akan GitHub Free, GitHub Pro, GitHub Free don zungiyoyi, GitHub Team, GitHub Enterprise Cloud, GitHub Enterprise Server, GitHub One, da kuma asusun GitHub AE. Babu ayyukan GitHub don ɗakunan ajiya masu zaman kansu mallakar asusun ta amfani da tsofaffin tsare-tsaren.
Aikin hakar ma'adinai na Cryptocurrency galibi ana ɓoye shi ko gudana a bango ba tare da mai gudanarwa ko izinin mai amfani ba. Akwai nau'ikan nau'ikan ma'adinai guda biyu:
- Yanayin binary: su ne mummunan aikace-aikace da aka zazzage kuma aka sanya su a kan na'urar da aka sa gaba da nufin haƙo ma'adinai masu hakar ma'adinai. Wasu hanyoyin magance tsaro suna gano mafi yawan waɗannan aikace-aikacen azaman Trojans.
- Yanayin Browser - Wannan mummunan rubutun JavaScript ne wanda aka saka a cikin shafin yanar gizo (ko wasu abubuwanda aka haɗa ko abubuwa), wanda aka tsara don hako ma'adinai daga masu bincike na baƙi na yanar gizo. Wannan hanyar da ake kira cryptojacking ya zama sanannen mashahuri tare da masu aikata laifuka ta yanar gizo tun daga tsakiyar shekarar 2017. Wasu hanyoyin magance tsaro suna gano mafi yawan waɗannan rubutun cryptojacking a matsayin yiwuwar aikace-aikacen da ba a so.