South African group, Automated Libra, defrauded cloud computing providers such as Microsoft and Salesforce of millions worth of dollars in a scheme to mine crypto.
According to cyber security firm, Palo Alto Networks Unit 42, in a scheme dubbed ‘Purple Urchin,’ Automated Libra fraudulently used resources of various cloud platforms to perform crypto mining operations.
Cloud computing providers typically offer free resources for a limited time to new accounts, and this is what the group takes advantage of. They create accounts and use the free resources to mine crypto, which is usually a resource intensive process.
“The threat actors use these limited-use cloud resources until the allotted time or dollar balance is reached, at which time, Automated Libra ceases using those resources. This often results in an outstanding balance due, which actors do not pay,” Unit 42 said in its report.
They also create premium accounts using falsified or stolen credit cards and access resources in a tactic intended to avoid paying the cloud providers’ bill, with Unit 42 having found evidence of many unpaid accounts.
“With this finding, we assess that the actors behind PurpleUrchin operations stole cloud resources from several cloud service platforms through a tactic Unit 42 researchers call ‘Play and Run.’ This tactic involves malicious actors using cloud resources and refusing to pay for those resources once the bill arrives.”
Some of the providers targeted include Heroku, a cloud hosting service owned by Salesforce, and GitHub, another hosting and collaboration platform owned by Microsoft. Other cloud services targeted include:
- Heroku
- GitHub
- Buddy
- ToggleBox
‘PurpleUrchin’ was first uncovered in October 2022 when it was disclosed in cybersec circles that the group created with as many as:
- 30 GitHub accounts
- 2,000 Heroku accounts, and
- 900 Buddy accounts
to scale its operation.
Unit 42 has also uncovered the use of more than 40 wallets and seven different cryptocurrencies.
At the height of its activity in November 2022, the cloud threat actor group created three to five GitHub accounts a minute totally setting up over 130,000 bogus accounts across Heroku, Togglebox, and GitHub.
The group uses software and/or software techniques to automate the process of creating many accounts on some of these platforms while also taking advantage of vulnerabilities in cyber-security systems like Captcha.
_____________________________________
_____________________________________
