BTC $56772.0455
ETH $3229.2692
BNB $393.0365
SOL $106.6536
stETH $3224.6597
XRP $0.5621
ADA $0.6137
AVAX $38.6261
DOGE $0.0960
TRX $0.1415
wstETH $3753.2551
DOT $8.0619
LINK $18.8685
WETH $3222.5827
MATIC $1.0217
UNI $10.5943
WBTC $56672.8182
IMX $3.2827
ICP $12.8638
BCH $296.0952
LTC $73.4211
CAKE $3.1049
LEO $4.3751
ETC $27.6986
FIL $7.7121
KAS $0.1681
RNDR $7.1714
DAI $0.9992
HBAR $0.1085
ATOM $10.9103
INJ $37.3719
VET $0.0480
TON $2.1032
OKB $51.5043
FDUSD $1.0007
LDO $3.4620
STX $3.0518
XMR $133.5710
ARB $1.8885
XLM $0.1189
GRT $0.2844
TIA $16.9400
NEAR $3.9210
ENS $21.6903
MKR $2126.5962
WEMIX $2.0704
APEX $2.3723
BTC $56772.0455
ETH $3229.2692
BNB $393.0365
SOL $106.6536
stETH $3224.6597
XRP $0.5621
ADA $0.6137
AVAX $38.6261
DOGE $0.0960
TRX $0.1415
wstETH $3753.2551
DOT $8.0619
LINK $18.8685
WETH $3222.5827
MATIC $1.0217
UNI $10.5943
WBTC $56672.8182
IMX $3.2827
ICP $12.8638
BCH $296.0952
LTC $73.4211
CAKE $3.1049
LEO $4.3751
ETC $27.6986
FIL $7.7121
KAS $0.1681
RNDR $7.1714
DAI $0.9992
HBAR $0.1085
ATOM $10.9103
INJ $37.3719
VET $0.0480
TON $2.1032
OKB $51.5043
FDUSD $1.0007
LDO $3.4620
STX $3.0518
XMR $133.5710
ARB $1.8885
XLM $0.1189
GRT $0.2844
TIA $16.9400
NEAR $3.9210
ENS $21.6903
MKR $2126.5962
WEMIX $2.0704
APEX $2.3723
  • Catalog
  • Blog
  • Tor Relay
  • Jabber
  • One-Time notes
  • Temp Email
  • What is TOR?
  • We are in tor
  • Hackers use CAPTCHA bypass to make 20K GitHub accounts


    South African hackers known as "Automated Libra" are refining their methods to make a profit by using cloud platform resources for cryptocurrency mining.

    According to Palo Alto Networks Unit 42, the attackers are using a new CAPTCHA solution system, using CPU resources more aggressively for mining, and mixing "freejacking" with "play and run" methods to abuse free cloud resources.

    "Automated Libra" was first discovered by Sysdig analysts in October 2022, who named the malware activity cluster "PurpleUrchin" and believed the group was engaged in hacking operations.

    Unit 42 delved deeper into this operation, analyzing more than 250 GB of collected data on the dark web and revealing much more information about the attacker's infrastructure, history, and methods.

    The attacker launches automated campaigns by abusing Continuous Integration and Deployment (CI/CD) service providers such as GitHub, Heroku, Buddy.works, and Togglebox to create new accounts on the platforms and launch cryptocurrency miners in containers. While Sysdig identified 3,200 malicious accounts belonging to "PurpleUrchin", Unit 42 now reports that the attacker has created and used more than 130,000 accounts on the platforms since August 2019, when the first signs of its activity can be traced.

    In addition, Unit 42 discovered that the attacker used container components not only for mining, but also for trading the mined cryptocurrency on various trading platforms, including ExchangeMarket, crex24, Luno and CRATEX.

    Sysdig noticed that the attackers were engaged in "freejacking", trying to use any available resources allocated to free accounts, in an attempt to make significant profits by expanding their activities. Division 42 confirms that freejacking is an important aspect of PurpleUrchin's operations, but reports that the "Play and Run" strategy is also of great importance.

    “Play and run” is a term for attackers who use paid resources for profit, in this case cryptocurrency mining, and refuse to pay bills until their accounts are frozen. At this point, they give them up and move on.

    Typically, PurpleUrchin uses stolen PII and credit card details to create premium accounts on various VPS and CSP platforms so no one can trace them when they leave unpaid debts.

    “It appears that the actor also reserved full server or cloud instances, and sometimes they used CSP services such as AHP,” Unit 42’s report explains. "They did this to make it easier to host web servers that were needed to monitor and track their large-scale mining operations."

    In these cases, the attacker uses as much of the CPU as possible before losing access to it. This is in contrast to the tactics used in hacking campaigns where the miner uses only a tiny fraction of the server's CPU power.

    One notable technique used by Automated Libra is the CAPTCHA solving system, which helps them create multiple accounts on GitHub without requiring manual intervention. The attackers use ImageMagic's "convert" tool to convert CAPTCHA images to their RGB equivalents, and then use the "identify" tool to extract the red channel skewness for each image.

    The value returned by the "identify" tool is used to rank the images in ascending order. Finally, the automated tool uses a table to select the image that tops the list, which is usually the correct one.

    This system highlights Automated Libra's determination to achieve higher operational efficiency by increasing the number of accounts per minute they can create on GitHub.

    Author DeepWeb
    Phenethylamine
    The Federal Bureau of Investigation Hacked the Dark Web Again

    Comments 0

    Add comment