According to researchers, these developer resources were also targeted last year for Monero mining but now “the campaign has resurfaced with vengeance.”
In September 2020, Aqua Security’s Team Nautilus discovered a campaign that targeted GitHub and Docker Hub automated build processes for cryptocurrency mining. At the time, the company notified the services, and the attack was blocked.
According to Aqua’s latest report, the same campaign has resurfaced, and this time it is a lot more intense. Within just four days, the attackers have set up around 92 malicious Bitbucket repositories and 92 malicious Docker Hub registries using Aqua Dynamic Threat Analysis (DTA). Their purpose is to perform cryptocurrency mining using these resources.
Unique Integration Process
According to Aqua Security’s lead data analyst Assaf Morag, the threat actors have created a continuous integration process. This is a unique process as it initiates multiple auto-build processes every hour. On each build, they execute a Monero crypto miner.
Straightforward Kill Chain
In this crypto mining campaign, threat actors have used a straightforward kill chain. Firstly, the attackers register multiple fake email IDs via a Russian provider and then set up a Bitbucket account with numerous repositories using official documents to make them appear legit.
A similar method is used with Docker Hub as threat actors are creating accounts with various linked registries. They build images on Bitbucket/Docker Hub environments and hijack their resources to illegally mine for Monero.
How to Stay Secure?
The campaign proves that cloud-native environments are the current favorite target of cybercriminals.
“Bad actors are constantly evolving their techniques to hijack and exploit cloud compute resources for cryptocurrency mining,” Morag explained in a blog post.
Aqua Security recommends that it is essential to have strict access controls, minimal privilege enforcements, and fool-proof authentication measures on these environments.
“Also continuous monitoring and restrictions on outbound network connections to prevent both data theft and resource abuse” is crucial, researchers noted.