PurpleUrchin: GitHub Actions Hijacked for Crypto Mining

The Sysdig Threat Research Team has uncovered an extensive crypto mining operation, PurpleUrchin, which abuses free continuous integration and deployment service accounts.
This is why we can’t have nice things. It’s great that many cloud and continuous integration/deployment (CI/CD) providers, such as Buddy.works, GitHub, and Heroku offer free services. But now, in a massive new case of freejacking, the Sysdig Threat Research Team (Sysdig TRT) has found attackers using over a million free serverless function calls, such as GitHub Actions, to run a gigantic automated cryptocurrency mining operation, PurpleUrchin.
Sheer Scale
“Freejacking,” you ask? It’s a new name for an old technique of abusing free service offerings. In this case, free compute resources. What makes PurpleUrchin different is its sheer scale. Instead of setting up a handful of free accounts, this highly obfuscated, multilevel attack constantly creates new accounts and then plants more than 130 Docker Hub images while regularly rotating CI/CD accounts on multiple platforms. Altogether more than 30 GitHub accounts, 2,000 Heroku accounts, and 900 Buddy-infected accounts have been found, the threat actor is targeting several platforms at the same time and seemingly always looking for more.
These free attacks can add up quickly. GitHub, for example, offers 2,000 free GitHub Action minutes per month. For PurpleUrchin that adds up to about 33 hours of free run time per account.
Of course, There Ain’t No Such Thing as a Free Lunch (TANSTAAFL). In this case, it’s the providers paying the cost. Sysdig TRT estimates that every “free” PurpleUrchin GitHub account costs GitHub $15 per month. Free tier accounts from the other service providers are estimated to cost providers from $7 to $10 per month. Left unchecked, beleaguered providers may end up increasing prices for their legitimate customers to make up for the PurpleUrchin costs.
At first glance, the people behind PurpleUrchin seem to just be here for crypto cash from crypto mining. But, oddly enough, PurpleUrchin’s owners, for now at least, are mining low-profit cryptocurrencies. Sysdig believes that this may be “a low-risk, low-reward test” before PurpleUrchin’s controllers move to higher-valued coins such as Bitcoin or Monero.
Bigger, Nastier
Beyond that, Sysdig, however, worries that PurpleUrchin has bigger, nastier things in mind. They fear they’re going after cryptocurrency’s validation blockchain mechanisms themselves. These proof-of-work algorithms are vulnerable to the 51% attack,
A 51% attack can work because, typically, when a miner finds a correct hashing combination, the newly mined block is then added to the blockchain and approved by the crypto network. This approval happens when a consensus is made by the network that a block is legitimate. If, however, you have control of the network because 51% of it is under your control, you can sabotage the network’s immutability. That done, the PurpleUrchin controllers can validate arbitrary transactions associated with any of their attacker-controlled cryptocurrency wallets. Besides being able to “forge” coins, they could steal millions of dollars worth of cryptocurrency from other miners, block other users’ transactions, or reverse them and spend the same cryptocurrency again with double-spending.
This isn’t just a theoretical vulnerability. In 2019, there was a successful 51% attack on the Ethereum Classic blockchain. While it would be difficult to do with BitCoin, due to its sheer size, it’s comparatively easy to do with the smaller, lesser coins.
Is it any wonder that I, for one, have no trust whatsoever in cryptocurrency?
But wait! There’s more!
Sysdig also worries that this “large-scale operation could be a decoy for other nefarious activities.” In 2020, APT32 (Bismuth, OceanLotus) deployed crypto mining operations on victim networks to evade detection of their simultaneous cyberespionage campaign.
They may be on to something. PurpleUrchin has gone well beyond the normal run of crypto crooks. The sheer range and volume of its attacks suggest there might be a nation-state or major criminal organization behind it.
Sysdig concluded, “This is nothing we have seen before, and we intend to continue following this activity.” As should we all.