Owners of public GitHub projects have been noticing weird stuff recently: Random users are forking repos, then pull-requesting a change that includes an obfuscated GitHub Action.
Attackers force the free service to run a cryptocurrency miner by pretending it’s part of the project’s CI/CD pipeline. Crucially, the malicious GitHub Action runs before the project owner decides whether to approve the PR (yes, you read that right).
So there isn’t much an owner can do—other than disable the GitHub Actions feature. In this week’s Security Blogwatch, we watch GitHub play Whac-A-Mole.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Polka Dot +ve.
“This is why we can’t have nice things.”
What’s the craic? Catalin Cimpanu reports—GitHub investigating crypto-mining campaign abusing its server infrastructure:
GitHub is actively investigating a series of attacks … that allowed cybercriminals to implant and abuse the company’s servers for illicit crypto-mining operations, [said] a spokesperson. … The attacks have been going on since the fall of 2020 and have abused [the] GitHub Actions … feature.
The attack involves forking a legitimate repository, adding malicious GitHub Actions to the original code, and then filing a Pull Request with the original repository. … Just filing the pull request is enough: … The attack doesn’t rely on the original project owner approving [it. Then] GitHub’s systems will read the attacker’s code and spin up a virtual machine that downloads and runs cryptocurrency-mining software … creating huge computational loads for GitHub’s infrastructure.
Sounds dodgy. Careful with that Ax Sharma—GitHub Actions being actively abused:
GitHub Actions is a CI/CD solution that makes it easy to setup periodic tasks for automating your software workflows. … Merely filing the pull request by the malicious attacker is enough to trigger the attack.
The automated code invoked by the malicious Pull Request instructs the GitHub server to download a crypto miner hosted on GitLab which is mislabeled npm.exe [and] has nothing to do with the official NodeJS installers or Node Package Manager (npm). … In tests, [it] connected to the turtlecoin.herominers.com cryptocurrency pool and began its coin-mining activities.
GitHub whatnow? Bill Doerrfeld offers An overview:
GitHub has, for some time, been an innovator in software collaboration and communication styles. That’s especially true with new event-driven scenarios.
GitHub Actions is a new offering that allows developers to program reactions throughout the GitHub platform. Written in YAML, these reusable pieces of code can trigger new actions based on events, such as creating a new repository, merging a pull request, or testing a build.
GitHub Actions is a community-powered platform. Many of the Actions and Workflows are built by community developers.
Actions is free. … Workflows can have up to 100 actions and run for up to 58 minutes, [but] GitHub puts no limit on the number of Workflows or Actions blocks that can be threaded together.
Aye, there’s the rub. So MachineShedFred said:
Allowing users to execute arbitrary code without usage-based pricing seems like a poor business decision. Hard to think that someone couldn’t have forseen the idea of implementing a “code test” which resembles a crypto miner in a branch of a repo that uses GitHub Actions, and then submit a PR in order to let the CI pipeline run it.
Use the source, Luke. GitHub CEO Nat Friedman defends himself:
This is a cat and mouse game. We add code to detect and disable abuse … and then the abusers come up with a new way of circumventing that detection. … We have to stay on top of this all the time. So the miners are not just stealing CPU time, they are also stealing engineer time … time that would be spent improving Actions in other ways.
Without mitigations the miners will consume all available CPU. [But] there are legitimate reasons to run CI and tests for outside contributions without taxing maintainers with the cognitive load of having to evaluate whether each contribution is CI-worthy.
All providers of free compute are experiencing some level of mining attack right now. … The attack vector in the article is not the main way miners try to steal CPU from the GitHub community.
But it turns out this isn’t the first that GitHub is hearing of the problem. Thibault Duponchelle reported it two months ago:
In summary, yesterday, I was attacked by a github user that crafted a malicious github action to start a crypto-mining program inside an action run. He triggered it in my GitHub Actions thanks to a ****ty pull request.
The name of the guy is y4ndexhater1 which is really an hacker’s nick. … But my mom learned me to never judge people by their appearance so I continued to investigate (but the game was already over).
The pull request had triggered actions multiple times [and] each action seemed to start multiple sub-jobs. … While it took me maybe 7 minutes to stop all the jobs and close the pull request, in the 5 minutes that followed, the pull request itself and the user y4ndexhater1 totally disappeared.
GitHub support informed me later that the profile and pull request disappearing was triggered by them flagging this user for suspicious activity. … To sleep peacefully, I disabled the github actions on this repository.
As did Assaf Morag, seven months ago (and not only on GitHub):
[We] detected an impressive campaign that set out to hijack resources to enable cryptocurrency mining. This operation focused on several SaaS software development environments, including Docker Hub, GitHub, Travis CI, and Circle CI, by abusing their automated build processes.
[The] campaign consisted of 11 GitHub users who created 51 GitHub projects that were masquerading as popular software projects … (openssh, openvpn, seahorse, nautilus, zookeeper etc.) [and] similarly created 56 Docker Hub accounts—also using the names of popular software. All of this happened over the course of only a few hours. During the build process, these container images proceeded to download a cryptominer from a single GitHub repository.
Since these projects and container images were created, they each have committed thousands of code changes. Each commit is executing a build process by all of the above-mentioned services, and on each build, a cryptominer is executed. For three days, this campaign amassed over 23.3K commits in GitHub and 5.8K builds in Docker Hub, translating into ~30K Monero mining sessions.
This attack represents yet another example of the evolving creativity of adversaries. They are persistent in their pursuit of abusable cloud compute resources wherever they can get them. This is also a reminder that developer environments in the cloud are just as susceptible to attack as production.
Ah, the tragedy of the commons. Ecuador ponders a potential Nash equilibrium:
[This] is why we can’t have nice things. … Github is nice in that it gives you 2000 minutes/month of “actions” runtimes … even for free accounts for public repos. That’s been great for open source development.
Hopefully GitHub will figure out a way to stop the abuse without blocking this very useful service they are providing.
And it’s not just dev services. Here’s williamstein:
As somebody who has been creating or supporting websites for mathematicians for two decades that support running arbitrary code (e.g., Pari/Magma calculator, Sage notebook … CoCalc), this is very much the case. In fact … Sage Cell server … finally had to be locked down much more in the last few days due to abuse by cryptominers.
Meanwhile, bustinbrains thinks about the tyranny of the default:
Whenever GitHub releases new features and clutters the UI with yet more tabs of things I don’t/won’t use, I have to go through all of my repos and turn that feature OFF. … If you don’t need/use Actions, turn them off. But new features should be turned off by default.
The moral of the story?
How could your service be misused by cryptominers? Time to red-team this puppy.
You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or firstname.lastname@example.org. Ask your doctor before reading. Your mileage may vary. E&OE. 30.