Threat actors hijacking Bitbucket and Docker Hub for Monero mining

According to researchers, both developer resources were also targeted last year for Monero mining but now the campaign has resurfaced.
Threat actors hijacking Bitbucket and Docker Hub for Monero mining

According to researchers, these developer resources were also targeted last year for Monero mining but now “the campaign has resurfaced with vengeance.”




 

In September 2020, Aqua Security’s Team Nautilus discovered a campaign that targeted GitHub and Docker Hub automated build processes for cryptocurrency mining. At the time, the company notified the services, and the attack was blocked.

SEE: Hackers Hide Monero Cryptominer in Scarlett Johansson’s Picture

According to Aqua’s latest report, the same campaign has resurfaced, and this time it is a lot more intense. Within just four days, the attackers have set up around 92 malicious Bitbucket repositories and 92 malicious Docker Hub registries using Aqua Dynamic Threat Analysis (DTA). Their purpose is to perform cryptocurrency mining using these resources.

Unique Integration Process 

According to Aqua Security’s lead data analyst Assaf Morag, the threat actors have created a continuous integration process. This is a unique process as it initiates multiple auto-build processes every hour. On each build, they execute a Monero crypto miner.

Straightforward Kill Chain

In this crypto mining campaign, threat actors have used a straightforward kill chain. Firstly, the attackers register multiple fake email IDs via a Russian provider and then set up a Bitbucket account with numerous repositories using official documents to make them appear legit.




 

A similar method is used with Docker Hub as threat actors are creating accounts with various linked registries. They build images on Bitbucket/Docker Hub environments and hijack their resources to illegally mine for Monero.

Threat actors hijacking Bitbucket and Docker Hub for Monero mining

How to Stay Secure?

The campaign proves that cloud-native environments are the current favorite target of cybercriminals.

“Bad actors are constantly evolving their techniques to hijack and exploit cloud compute resources for cryptocurrency mining,” Morag explained in a blog post.

Aqua Security recommends that it is essential to have strict access controls, minimal privilege enforcements, and fool-proof authentication measures on these environments.

“Also continuous monitoring and restrictions on outbound network connections to prevent both data theft and resource abuse” is crucial, researchers noted.




 

Did you enjoy reading this article? Don’t forget to like our page on Facebook and follow us on Twitter

Related Posts