Freejacking Campaign By PurpleUrchin Bypasses Captchas

Written by

The South African threat actors known as "Automated Libra" have been improving their techniques to exploit cloud platform resources for cryptocurrency mining.

According to Palo Alto Networks Unit 42, the threat actors have used a new Captcha-solving system alongside a more aggressive use of CPU resources for mining and the mix of "freejacking" with the "Play and Run" technique.

From a technical standpoint, freejacking is generally understood as the process of using free (or limited-time) cloud resources to perform cryptomining operations.

"While freejacking may, on its surface, seem like a victimless crime, these patterns of abuse could have serious downstream consequences if they start to target paid enterprises who rely on cloud infrastructure for operations, data storage, and more," explained Dig Security CEO Dan Benjamin.

As for Automated Libra, the group was first exposed by analysts at Sysdig in October 2022, who named the malicious cluster of activity "PurpleUrchin" and associated the group with freejacking operations.

Now, Palo Alto Networks resources have said they collected more than 250 GB of container data from the PurpleUrchin operation and discovered that the hackers behind it were creating three to five GitHub accounts every minute during the peak of their operations in November 2022.

"We also found that some of the automated account creation cases bypassed Captcha images using simple image analysis techniques," reads the Unit 42 advisory.

"We also identified the creation of more than 130,000 user accounts created on various cloud platform services like Heroku, Togglebox and GitHub."

Further, the team found evidence of unpaid balances on some of these cloud service platforms from several created accounts, hinting that the actors created fake accounts with stolen or counterfeit credit cards.

"With this finding, we assess that the actors behind PurpleUrchin operations stole cloud resources from several cloud service platforms through a tactic Unit 42 researchers call 'Play and Run,'" Unit 42 wrote.

"This tactic involves malicious actors using cloud resources and refusing to pay for those resources once the bill arrives."

According to Davis McCarthy, a principal security researcher at Valtix, between bypassing security controls like Captchas or using stolen credit cards to foot the bill, this operation showcases the depth of the threat landscape.

"Organizations should operationalize this intelligence to determine if this type of attack can impact them – cyber-criminals won't stop their attempts to monetize underpinning compute and storage resources that make up most cloud services," McCarthy told Infosecurity.

The Palo Alto Networks advisory comes a few months after Netskope's Threat Labs Report suggested that Microsoft OneDrive was the most exploited cloud app for delivering malicious content in 2022.

What’s hot on Infosecurity Magazine?