A South African threat actor known as “Automated Libra” is improving its techniques to exploit cloud platform resources for cryptocurrency mining.
according to Palo Alto Networks In Unit 42, the threat actor uses a new captcha resolution system, uses CPU resources more aggressively for mining, and combines “freejacking” with “play and run” techniques.
From a technical perspective, freejacking is commonly understood as the process of using free (or limited-time) cloud resources to perform cryptomining operations.
“While freejacking may appear to be a victimless crime on the surface, these patterns of abuse will start targeting paid businesses that rely on cloud infrastructure for operations, data storage, and more. , could have serious consequences downstream.” dig security CEO Dan Benjamin.
As for Automated Libra, the group was first published by Sysdig analysts. October 2022named the malicious cluster of activity “PurpleUrchin” and associated the group with the freejacking operation.
Palo Alto resources currently collect over 250 GB of container data from PurpleUrchin operations, and that the hackers behind them were creating 3-5 GitHub accounts every minute during peak operations in November 2022. said to have found
The Unit 42 advisory also states, “We have also found that some cases of automated account creation bypass captured images using simple image analysis techniques.
“We have also seen the creation of over 130,000 user accounts created on various cloud platform services such as Heroku, Togglebox, and GitHub.”
Additionally, the team found evidence of outstanding balances from multiple accounts created on some of these cloud service platforms, suggesting that the attackers used stolen or counterfeit credit cards to create fake accounts. suggests.
“This discovery allows us to determine that the attackers behind the PurpleUrchin operation stole cloud resources from multiple cloud service platforms through a tactic Unit 42 researchers called ‘play and run,’” said Unit 42. is writing
“This tactic involves malicious actors using cloud resources and refusing to pay for those resources when the bill arrives.”
According to Davis McCarthy, Principal Security Researcher at balticsbypassing security controls such as captchas, or using stolen credit cards to pay bills, this operation illustrates the depth of the threat landscape.
“Organizations need to operationalize this intelligence to determine if this type of attack is likely to impact them. We will never stop trying to monetize our compute and storage resources,” McCarthy said. Information security.
The Palo Alto Networks advisory is based on Netskope’s Threat Lab Report Microsoft OneDrive Most abused cloud apps To deliver malicious content in 2022.
