In recent months, some of the groups of cybercriminals dedicated to cryptocurrency mining have chosen to stop hijacking unpatched servers, preferring to base these cryptojacking operations on malicious abuse of free tools from platforms like GitHub and GitLab.
In this way, once your activity exceeds the free limitations of your user accounts, abandon them to create new ones and start over, thus overloading the servers of these platforms and affecting the performance experienced by their legitimate users. And all this, 'by the face'.
Continuous integration services (such as the popular GitHub Actions), which automatically run unit tests on virtual machines to validate changes made to the code (and thus immediately identify any errors), have become one of your favorite targets.
The point is, these groups have discovered that it is possible abuse this process to force the virtual machine in question to perform mining operations that translate into small gains for the attacker before its useful life expires.
As far as it is known, the list of services that have been victims of this kind of abuse includes those provided by GitHub, GitLab, Microsoft Azure, TravisCI, LayerCI, CircleCI, Render, CloudBees CodeShip, Sourcehut and Okteto.
Without going any further, this problem forced Microsoft Azure to communicate in February to its users that revoked free access to open source projects Pipelines at your service.
Now, fed up with also dealing 'every two by three' with the performance issues caused by this — and another class — of abusers of its infrastructure, the GitLab platform has ended up opting this week for require a card number (credit or debit) from all your new users of 'shared runners'.
It is not that they are going to start charging for this service, far from it: the objective is to be able to verify the number - and, with it, the identity of the user - by authorizing a transaction of one dollar that will not be carried out:
"We will never fully resolve abuses against the platform, but the more barriers we put in place, the more difficult and costly it will be to engage in the abuse."
Some users report that cybercriminals will not have much trouble buying data from other people's credit cards.
In fact, the CodeShip example shows that that it will not be the definitive solution: One of your engineers recently reported that his only problem was not with the free accounts, because sometimes they "pay small fees for our bills", much cheaper than going to AWS, "and they extract cryptocurrencies to their maximum capacity."
In any case, other smaller services cannot be content with adding a new obstacle to abusers of their infrastructure: both Sourcehut and TravisCI have already announced the closure of their free tiers as the only way to deal with this problem.
Via | The Register & The Record