Microsoft-owned GitHub is the new cyberattack victim, with reports of cybercriminals manipulating GitHub's cloud infrastructure to mine cryptocurrency. Code repository hosting service, Github has started an investigation into a series of attacks aimed at abusing its infrastructure to mine cryptocurrency illegally.
GitHub Actions is a continuous integration (CI) and continuous deployment (CD ) solution that makes it easy to automate all the software workflows and setup periodic tasks. The particular attack adds malicious GitHub Actions code to repositories forked from legitimate ones and further creates a Pull Request for the original repository maintainers to merge the code back, to alter the original code.
“In a phone call, Dutch security engineer Justin Perdok told The Record that at least one threat actor is targeting GitHub repositories where Actions might be enabled. The attack involves forking a legitimate repository, adding malicious GitHub Actions to the original code, and then filing a Pull Request with the original repository in order to merge the code back into the original.” reported The Record.
“But the attack doesn’t rely on the original project owner approving the malicious Pull Request. Just filing the Pull Request is enough for the attack, Perdok said.” This is particularly true for GitHub projects that have automated workflows setup to substantiate incoming Pull Requests via Actions. As soon as a Pull Request is created for the original project, GitHub's systems execute the attacker's code which instructs GitHub servers to retrieve and run a crypto miner.
This isn't the first time an attack leveraging GitHub infrastructure has abused GitHub Actions. An identical attack had previously been identified by another programmer, Yann Esposito, in which an attacker had filed a malicious Pull Request against Esposito's GitHub project.
Last year, BleepingComputer reported on GitHub being used to host a wormable botnet Gitpaste-12, which reappeared with over 30 exploits the following month. Unlike Gitpaste-12 or the Octopus Scanner malware, which targeted vulnerable projects and computers, this attack appears to be solely abusing on GitHub servers for crypto mining.
In an email, GitHub told The Record that they are “aware of this activity and are actively investigating”. For now, the attack does not appear to damage users’ projects in any way and seems to be solely focused on abusing GitHub infrastructure.