HQ/EMEAFind out how we can help your business
The Libra Group deployed the PurpleUrchin cryptocurrency mining operation in October last year, using malicious accounts on Buddy[.]works, Heroku, and GitHub. Unfortunately, a recent cybersecurity study revealed that there are 250 gigabytes worth of data was related to the operation, implying that the campaign is more significant than initially thought.
Researchers attributed the campaign to the South African free jacking group and discovered they had exploited the CI/CD service providers. Moreover, the group has used the service providers to develop new accounts and several platforms and initiate cryptominers in containers.
Based on reports, containerised components were utilised by the threat actors for trading the mined crypto assets across several trading platforms, such as Crex24, Cratex, ExchangeMarket, and Luno.
The Libra Group now uses an extended CPU time to maximise their operation.
According to investigations, the Libra Group utilised as much CPU run time as possible before letting their resources go. This method is new since other freejacking processes only use a small portion of these servers’ CPU power for their campaign.
In addition, the threat group has also leveraged the CAPTCHA bypass combined with the Play and Run strategy. Researchers explained that the Libra group has been upgrading its features with the Play and Rub techniques mixed with the CAPTCHA bypass to abuse the free cloud resources.
Furthermore, the group utilise a couple of tools from the ImageMagick kit to bypass or solve the CAPTCHA given by GitHub during account creation. The equipment heavily involves the Play and Run strategy with fraud or stolen credit cards.
Cybersecurity experts claimed that the cloud platform vendor’s resource bill could have been more significant due to the scale of the mining campaign.
The Libra Group has established itself as a significant threat with the success and impact of its PurpleUrchin operation. The group could cause more damage than its previous campaign since several user accounts on cloud platforms are created by the group for cryptomining operations.
Users should employ an effective multi-cloud security strategy to secure their public cloud footprint and avoid getting infected by the operation.
