Novel PURPLEURCHIN attack uses multiple clouds for cryptojacking

Novel PURPLEURCHIN attack uses multiple clouds for cryptojacking

Image:
Novel PURPLEURCHIN attack uses multiple clouds for cryptojacking

'This is nothing we have seen before' say security researchers at Sysdig

A new and sophisticated type of cryptojacking operation had been uncovered by the Sysdig Threat Research Team (Sysdig TRT).

The operation, which the researchers dub PURPLEURCHIN, is complex and highly automated and uses multiple cloud providers, including GitHub, Heroku and Buddy.works.

Specifically, the threat actors user the free tiers of cloud CI/CD and DevOps automation services, including GitHub, Heroku and Buddy.works.

The researchers found more than 30 free accounts on GitHub, 2,000 on Heroku and 900 on Buddy being used for this purpose.

"The threat actor is targeting several platforms at the same time and seemingly always looking for more," the team said in a statement sent to Computing.

Because it uses numerous free accounts, the attackers are able to mine cryptocurrencies in a way that would not be profitable were they to pay for the compute time. Cloud providers are aware of abuses of free accounts - or freejacking as its known - and put in place measures to make it difficult, including CAPTCHAs and insisting that free tier users provide their credit card details. But PURPLEURCHIN seems to have found ways to get around these, according to Sysdig TRT.

After a free account is created a Docker image is uploaded from which CI/CD process, such as GitHub Actions, is run. One Docker image commonly acts as a command and control (C2C) server for many others, with accounts and images constantly changing. In this way, even though the amount of computing power that each image can bring to bear is small, together and over time it adds up, using the same principle as a botnet.

"GitHub offers 2,000 free GitHub Action minutes per month. That could amount to approximately 33 hours of run time per account created by PURPLEURCHIN," the researchers note.

The constant flux of images also makes it very hard to detect.

The identity of the attackers and their motive is not known. Most likely, the researchers believe, it is simply to make money through mining cryptocurrencies at zero cost to themselves, but the sophistication of the setup could point to something bigger. For example, if they were able to amass sufficient accounts they might be able to pull off a 51% attack on one of the smaller blockchains; or it could be a cover for more nefarious activities.

At the current scale, the team say it is unlikely to be earning a large amount and neither is it a huge burden on the cloud providers, but there's a possibility that it's a proof of concept attack that could be scaled up.

"This is nothing we have seen before, and we intend to continue following this activity," the team said.

Sysdig TRT says it plans to publish in-depth findings on its website blog later today.