GitHub’s electricity bill likely skyrocketed in recent months. The code-hosting company, owned by Microsoft, is investigating a series of attacks against its cloud infrastructure that allowed cybercriminals to hack into its servers and use them for crypto-mining operations, a report by The Record explains.
The attacks, which were carried out by abusing a GitHub automated task and workflow feature called GitHub Actions, have been occurring since the fall of 2020.
GitHub security engineer Justin Perdok told The Record that at least one person is targeting GitHub repositories in which GitHub Actions might be enabled.
The attacker adds malicious GitHub Actions to the original code before filing a ‘Pull Request’ with the original repository. This merges the malicious code back into the original.
As Perdok explains, the original project owner doesn’t even need to approve the malicious Pull Request for the attack to work. Simply filing the Pull Request is enough.
Though GitHub says is are investigating the problem, it appears that it is a difficult issue to resolve — the company is actively deactivating malicious accounts, though new ones are easily activated by users intending to abuse the firm’s servers.
Virtual crypto-mining machines created with malicious code
Attackers specifically target GitHub project owners with automated workflows that test incoming pull requests via automated jobs, Perdok explained.
Once a malicious Pull Request is filed, GitHub’s systems read the attacker’s code and program a virtual machine that downloads and runs cryptocurrency mining software on GitHub’s infrastructure.
Perdok told The Record that he has seen attackers spin up to 100 crypto-miners throughout the course of only one attack. Unsurprisingly, as crypto mining consumes more electricity globally than entire countries, this creates enormous computational loads for GitHub’s infrastructure.
Perdok explained that he identified at least one account creating hundreds of malicious Pull Requests and the attacks appear to have been happening since at least November 2020, when it was reported by a French software engineer.
So far, the attacks have not been damaging users’ projects in any way, and instead are focused on illicitly utilizing GitHub’s infrastructure for crypto mining.