"Attackers Create 130K Fake Accounts to Abuse Limited-Time Cloud Computing Resources"
An attacker group is conducting a malicious cryptocurrency mining operation using the free or trial-based cloud computing resources and platforms provided by GitHub, Heroku, and Togglebox. The operation involves the creation of tens of thousands of fake accounts and the use of stolen or fake payment cards to activate time-limited trials. It is a highly automated operation that uses Continuous Integration and Continuous Delivery (CI/CD) processes. Unit 42 of Palo Alto Networks has named the group Automated Libra, which is suspected to be based in South Africa. During the height of the campaign, dubbed PurpleUrchin, in November, the group registered between three and five GitHub accounts per minute using automated CAPTCHA defeating methods in order to misuse GitHub Actions workflows for mining. PurpleUrchin has been in operation since 2019, and although it often abuses Virtual Private Server (VPS) providers that supply fully virtualized servers, the group behind it has expanded their operations to target cloud application hosting platforms. Heroku offers a cloud application hosting platform that supports several programming languages, whereas Togglebox provides both VPS and application hosting. This article continues to discuss Automated Libra's PurpleUrchin campaign using fake accounts for cryptocurrency mining operations.