Cryptojacking, Freejacking Compromise Cloud Infrastructure

Cybercriminal groups are targeting misconfigured Docker and Kubernetes clusters — or just automating the sign-up process for free trial accounts — to build infrastructure for cryptomining.

4 Min Read
Image of cryptocurrency coins
Source: Klaus Ohlenschlaeger via Alamy Stock Photo

Cryptojacking is creeping back, with attackers using a variety of schemes to leech free processing power from cloud infrastructure to focus on mining cryptocurrencies such as Bitcoin and Monero.

Cryptominers are using the availability of free trials on some of the largest continuous integration and deployment (CI/CD) services to deploy code and create distributed mining platforms, according to Sysdig, a provider of security for cloud-native services. Attackers are also targeted misconfigured Kubernetes and Docker instances to gain access to the host systems and run cryptomining software, cybersecurity services firm CrowdStrike warned this week.

Both tactics are really just trying to cash in on the rise of digital currencies at someone else’s expense, says Manoj Ahuje, a senior threat researcher for cloud security at CrowdStrike.

"As long as the compromised workload is available, in essence, it is free compute — for a cryptominer, that’s a win in itself as his input cost becomes zero," he says. "And ... if an attacker can compromise a large number of such workloads effectively by crowdsourcing the compute for mining, it helps to reach the goal faster and mine more in the same amount of time."

Cryptomining efforts are increased over time, even as the value of cryptocurrencies have plunged in the past 11 months. Bitcoin, for example, is down 70% from its peak in November 2021, affecting many cryptocurrency-based services. However, the latest attacks show that cybercriminals are looking to pick off the lowest hanging fruit.

Compromising providers' cloud infrastructure may not appear to harm businesses, but the cost of such hacks will trickle down. Sysdig found that attacker typically only make $1 for every $53 of cost borne by the owners of the cloud infrastructure. Mining a single Monero coin using free trials on GitHub, for example, would cost that company more than $100,000 in lost revenue, Sysdig estimated.

Yet companies may not initially see the harm in cryptomining, says Crystal Morin, a threat researcher at Sysdig.

"They are not harming anyone directly, such as taking somebody's infrastructure or stealing data from businesses, but if they were to scale this up, or other groups took advantage of this type of operation — 'freejacking' — it could start financially hurt these providers and impact — on the back end — the users, with free trials going away or forcing legitimate users to pay more," she says.

Cryptominers Everywhere

The latest attack, which Sysdig dubbed PURPLEURCHIN, appears to be an effort to cobble together a cryptomining network from as many services as possible that offer free trials. Sysdig's researchers discovered that the latest cryptomining network utilized 30 GitHub accounts, 2,000 Heroku accounts, and 900 Buddy accounts. The cybercriminal group downloads a Docker container, runs a JavaScript program, and loads in a specific container.

The success of the attack is really driven by the cybercriminal group's efforts to automate as much as possible, says Michael Clark, director of threat research for Sysdig.

"They have really automated the activity of getting into new accounts," he says. "They use CAPTCHA bypasses, the visual ones and the audio versions. They create new domains, and host email servers on the infrastructure that they have built. It is all modular, so they spin up a bunch of containers on a virtual host."

GitHub, for example, offers 2,000 free GitHub Action minutes per month on its free tier, which could account for up to 33 hours of run time for every account, Sysdig stated in its analysis.


The cryptojacking campaign CrowdStrike discovered targets vulnerable Docker and Kubernetes infrastructure. Called the Kiss-a-Dog campaign, the cryptominers use multiple command-and-control (C2) servers for resiliency, using rootkits to avoid detection. It includes a variety of other capabilities, such as placing backdoors in any compromised containers and using other techniques to gain persistence.

The attack techniques resemble those of other groups investigated by CrowdStrike, including LemonDuck and Watchdog. But most of the tactics are similar to TeamTNT, which also targeted vulnerable and misconfigured Docker and Kubernetes infrastructure, CrowdStrike stated in its advisory.

While such attacks may not feel like a breach, companies should take seriously any signs that attackers have access to their cloud infrastructure, says CrowdStrike's Ahuje.

"When attackers run a cryptominer in your environment, this is a symptom that your first line of defense has failed," he says. "Cryptominers are leaving no stones unturned to exploit this attack surface to their advantage."

About the Author(s)

Robert Lemos, Contributing Writer

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights