Developers Beware: New Campaign Targets Resources for Cryptocurrency Mining
Security researchers are sounding the alarm on a renewed effort to exploit developer resources for cryptocurrency mining. According to a team from Aqua Security, attackers recently established 92 malicious Docker Hub registries and 92 Bitbucket repositories over the course of just four days to carry out their nefarious activities.
How the Attack Works
Lead data analyst at Aqua Security, Assaf Morag, explained that the attackers create a continuous integration process that triggers multiple auto-build processes every hour. During each build, a Monero cryptominer is executed, allowing the attackers to mine cryptocurrency using the hijacked resources.
The attackers begin by registering multiple fake email accounts through a Russian provider. They then create a Bitbucket account with several repositories, using official documentation to make them appear legitimate. Similarly, they set up a Docker Hub account with multiple linked registries.
Once the images are built on Docker Hub/Bitbucket environments, the attackers exploit these resources for illegal cryptocurrency mining.
Protecting Developer Environments
According to Morag, developer environments are increasingly becoming prime targets for cyber-criminals due to a lack of security oversight. He emphasized the importance of implementing strict access controls, authentication measures, least-privilege enforcement, continuous monitoring, and restrictions on outbound network connections to prevent data theft and resource abuse.
This discovery comes on the heels of a similar campaign that Aqua Security identified a few months ago. In that instance, the attackers targeted the automated build processes of Docker Hub and GitHub. Fortunately, the affected services were notified and able to block the attack.
Securing Build Systems in the Cloud
Principal security strategist at Synopsys, Tim Mackey, underscored the importance of securing build systems to ensure they only process requests related to legitimate projects. Moving build systems and processes to cloud-based platforms introduces additional risk, as the security profile now extends to the capabilities of the cloud provider.
While major public providers like GitHub and Docker have protections in place to mitigate client risk, as evidenced by this recent campaign, they are not immune to attacks. Vigilance and robust security measures are essential to safeguard against such threats.
Developers and organizations are urged to remain vigilant and proactive in securing their cloud-native environments to prevent exploitation by malicious actors seeking to profit from illicit cryptocurrency mining.