Cyber gang abused free trials to exploit public cloud CPU resources

A South Africa-based threat actor known as Automated Libra has been observed adopting increasingly sophisticated techniques to conduct a widespread freejacking campaign against various public cloud services.

Freejacking is the act of using free or time-limited access to public cloud resources – such as introductory trial offers – to perform illicit cryptomining.

The campaign was initially dubbed PurpleUrchin by researchers at cloud and container security specialist Sysdig, which uncovered it last year while analysing some publicly shared containers and suspicious activity emanating from a Docker hub account.

At the time, Sysdig told Computer Weekly’s sister site SearchSecurity that its research team had not been able to establish how long the campaign had been running. However, Palo Alto Networks’ Unit 42 team has since analysed over 250GB of data, including container data and system access logs, and hundreds of indicators of compromise, and is now able to shed more light on the campaign and those behind it.

Unit 42 said PurpleUrchin – which reached a peak of activity in November 2022 – was set up as long ago as 2019 and had previously been highly active during the second half of 2021.

In the campaign, the Automated Libra gang stole compute resource from several service platforms using “play-and-run” tactics – akin to a so-called “dine-and-dash” in a restaurant – where they exploited the on-offer resources until they ran out, and then did not pay their bills, which in some cases were close to $200 per account.

Unit 42 found that Automated Libra was able to create and use more than 130,000 fake accounts on limited use platforms such as GitHub, Heroku and Togglebox using stolen or fake credit cards, and deployed an architecture that used standard DevOps continuous integration and delivery (CI/CD) techniques to automate the business of standing up these accounts and running them to perform cryptomining activities on a massive scale.

Among other things, they became able to bypass or resolve CAPTCHAs designed to weed out fake accounts, increase the number of accounts created – three to five per minute on GitHub at one point – and use as much CPU…