A group of attackers is running a cryptomining operation that leverages the free or trial-based cloud computing resources and platforms offered by several service providers including GitHub, Heroku, and Togglebox. The operation is highly automated using CI/CD processes and involves the creation of tens of thousands of fake accounts and the use of stolen or fake credit cards to activate time-limited trials.
Researchers from Palo Alto Networks’ Unit 42 have dubbed the group Automated Libra and believe it’s based in South Africa. During the peak of the campaign, dubbed PurpleUrchin, in November, the group was registering between three and five GitHub accounts every minute using automated CAPTCHA defeating processes with the intention to abuse GitHub Actions workflows for mining.