Cyber gang abused free trials to exploit public cloud CPU resources

A South Africa-based threat actor known as Automated Libra has been observed adopting increasingly sophisticated techniques to conduct a widespread freejacking campaign against various public cloud services.

Freejacking is the act of using free or time-limited access to public cloud resources – such as introductory trial offers – to perform illicit cryptomining.

The campaign was initially dubbed PurpleUrchin by researchers at cloud and container security specialist Sysdig, which uncovered it last year while analysing some publicly shared containers and suspicious activity emanating from a Docker hub account.

At the time, Sysdig told Computer Weekly’s sister site SearchSecurity that its research team had not been able to establish how long the campaign had been running. However, Palo Alto Networks’ Unit 42 team has since analysed over 250GB of data, including container data and system access logs, and hundreds of indicators of compromise, and is now able to shed more light on the campaign and those behind it.

Unit 42 said PurpleUrchin – which reached a peak of activity in November 2022 – was set up as long ago as 2019 and had previously been highly active during the second half of 2021.

In the campaign, the Automated Libra gang stole compute resource from several service platforms using “play-and-run” tactics – akin to a so-called “dine-and-dash” in a restaurant – where they exploited the on-offer resources until they ran out, and then did not pay their bills, which in some cases were close to $200 per account.

Unit 42 found that Automated Libra was able to create and use more than 130,000 fake accounts on limited use platforms such as GitHub, Heroku and Togglebox using stolen or fake credit cards, and deployed an architecture that used standard DevOps continuous integration and delivery (CI/CD) techniques to automate the business of standing up these accounts and running them to perform cryptomining activities on a massive scale.

Among other things, they became able to bypass or resolve CAPTCHAs designed to weed out fake accounts, increase the number of accounts created – three to five per minute on GitHub at one point – and use as much CPU time as possible before the unwitting victims noticed.

“Automated Libra designs their infrastructure to make the most use out of CD/CI tools. This is getting easier to achieve over time, as the traditional VSPs [virtual service providers] are diversifying their service portfolios to include cloud-related services,” said Unit 42 researchers William Gamanzo and Nathaniel Quist.

“The availability of these cloud-related services makes it easier for threat actors because they don’t have to maintain infrastructure to deploy their applications. In the majority of cases, all they need to do is to deploy a container.”

Indeed, using CI/CD techniques may have been something of a masterstroke for the freejackers, as by creating highly modular operational environments they could allow components of their operation to fail, be updated, or be terminated and replaced, without affecting their larger environment.

Gamanzo and Quist said they identified over 40 individual cryptowallets and seven cryptocurrencies or tokens used in the operation. Additionally, the containerised components were used to automate the process of trading the freshly mined cryptocurrency across multiple trading platforms.

According to the Sysdig research, the gang may have stayed under the radar for some time because they weren’t really affecting any legitimate users or compromising any genuine accounts.

However, their actions could ultimately rebound on genuine users if service providers tighten the rules on free or trial service tiers, or increase their subscription fees. Sysdig reckons that every free GitHub account costs GitHub $15 per month, so the cost to the cloud providers would likely be significant given Automated Libra has been able to scale its operation so well.