DEV Community

Cover image for Crypto-mining attack in my GitHub actions through Pull Request

Crypto-mining attack in my GitHub actions through Pull Request

Tib on February 09, 2021

In summary, yesterday, I was attacked by a github user that crafted a malicious github action to start a crypto-mining program inside an action run...
Collapse
 
daniel15 profile image
Daniel Lo Nigro • Edited

I think that dns.google is not a nasty domain, but honestly I'm not sure and haven't much investigated this.

dns.google is Google's public DNS server. They're just using its HTTP API to do a DNS lookup for poolio.magratmail.xyz and get its IP address. Although, since their script installed curl via apt, I wonder why they didn't just install dnsutils and use nslookup or dig 🤔

Collapse
 
bakies profile image
Jon Bakies

It may be an easy way to avoid being stopped by a security tool watching outbound DNS traffic and flagging lookups to suspicious sites. .xyz is a suspicious TLD andpoolio.magratmail.xyz may get flagged. The http request to dns.google is encrypted, you don't know what they're resolving by inspecting the wire.

Collapse
 
daniel15 profile image
Daniel Lo Nigro

That's a great point! I didn't even consider that. Pretty clever if that's the case.

Collapse
 
mihi profile image
Michael Schierl

What strikes me on your screenshot: In GitHub's free plan, there is a limit of 20 concurrent jobs per starting user. Your screenshot shows that PR started exactly 20 jobs.

I was always thinking that for a pull request, the user who submitted the pull request counts as the starting user, not the user whose repo is receiving the pull request? So there would not be any incentive to create a pull request instead of running the actions in their own fork.

Or are you using some custom runners, not the ones provided by GitHub?

Collapse
 
thibaultduponchelle profile image
Tib

No I'm not running custom runners.

This is very good remark...

Do you want to try? Parallel runners

Collapse
 
mihi profile image
Michael Schierl

Yes, I wanted to try and the results surprised me. Opened a discussion at github.community/t/whose-concurren...

Collapse
 
elabftw profile image
eLabFTW

Can you explain the relationship with your wife on the phone and you couldn't access your computer? Are you still living in 1998 and can't have internet AND the phone at the same time? :D

(if yes look out for The Matrix, a cool movie that will come out next year!)

Collapse
 
thibaultduponchelle profile image
Tib

Ahah you don't get the logic 😁 because of the call I had to pause the serie because we are watching together. Anyway, I edited the post to make it clearer 😜

I pray for next year to be 1998 😃 since a must have album from a French rap band IAM was just released, this is also the year where French football team won its first world cup and since as you mentioned Matrix was about to be released 👍

(but after get me back in 2021 please)

Collapse
 
elabftw profile image
eLabFTW

Ah ouais, clairement le meilleur album rap de tous les temps ;)

Collapse
 
harshit9715 profile image
Harshit Gupta

One of my repo got attacked yesterday. I am glad that I turned off my ec2 runner the night before. Not being able to sleep part is a real deal. I disabled all my actions on all my public repo's until this gets resolved. Even though it impacts github infra and not the users or their code, I love github services and community. I was looking for a way to restrict workflow changes. (did not found anything yet)
I really enjoyed reading your post. 😀

Collapse
 
weisk profile image
weisk

Dude, I love your poor man's Qube OS :D

Collapse
 
dima_golub_63dc756434f7ce profile image
Dima Golub • Edited

One of those more significant trends is described as a crypto-mining attack where someone submits a PR infected with code to mine in GitHub Actions. CI/CD-based crypto-mining attack: This is the type of attack where malicious actors take advantage of repositories' CI/CD workflows to execute illicit cryptocurrency mining scripts that utilize the project's resources for illegal mining. One may submit a pull request, and using the GitHub Actions that automatically runs a workflow for every PR, one can add crypto-mining code into it. It is draining resources and, on the same note, a security risk as well.
waterfall.network/individuals#stat... To help mitigate these attacks, repository owners can require stricter permissions, review workflow files carefully before use, or consider using tools like secret scanning and dependency review. For further information and cyber-attacks stats, please visit this site. With the threat landscape becoming more complex, staying prepared and making use of advanced security solutions is essential to stay safe.

Collapse
 
boumer profile image
Eisaboumer

idk if this will help, but "y4ndex" in his nickname means Yandex, which is a Russian search engine. If he's a hater of this, maybe he's somewhere near that region.