PurpleUrchin Cryptomining Campaign Detailed In New Report

Late yesterday I came across a report about the PurpleUrchin threat actor group. Here’s a quick synopsis about them:

The PurpleUrchin cryptomining campaign, first uncovered in October 2022, is characterized as a freejacking operation. While doing our own investigation of this threat actor, Unit 42 researchers found evidence that PurpleUrchin threat actors employed Play and Run tactics, using cloud resources and not paying the cloud platform vendor’s resource bill.

PurpleUrchin actors performed these Play and Run operations through the creation and use of fake accounts, with falsified or potentially stolen credit cards. These fake accounts held a pending unpaid balance. Although one of the largest unpaid balances we found was $190 USD, we suspect the unpaid balances in other fake accounts and cloud services used by the actors could have been much larger due to the scale and breadth of the mining operation.

The report goes into the details of their “play and run” scheme including the fact that:

  • Some of the automated account creation cases bypassed CAPTCHA images using simple image analysis techniques. 
  • The threat actors created fake accounts with stolen or fake credit cards.
  • The creation of more than 130,000 user accounts on various cloud platform services like HerokuTogglebox and GitHub was observed.

Crane Hassold, Director of Threat Intelligence at Abnormal Security had this to say:

“While the tactics described in the report rely on creating a large number of fake accounts and exploiting free trials, the same techniques could be used to leverage resources in an organization’s compromised cloud environment to accomplish the same goals. This is one of the reasons cloud credentials are so valuable in today’s underground cybercrime economy; they can be exploited in dozens of different ways.”

The report makes for some interesting reading and I would encourage you to read it as I can see how this sort of attack could be used for other means other than crypto mining. Thus organizations need to have the means to defend against these sorts of attacks.

Leave a Reply

%d bloggers like this: