Hello and welcome to the Wednesday, October 26, 2000, 22 edition of the Sansonet Storm Center's Stormcast.

My name is Johannes Ulrich and today I'm recording from Augusta, Georgia.

The first story is sort of a, well, what took them so long, a kind of a story.

GitHub actions are apparently used to mine

crypto coins. Security company SISDIC wrote up this campaign that they're calling a purple

urchin. As this is, well, a pretty obvious abuse of free computer resources, SISTIC writes that many providers

implemented CAPTCHAs and other countermeasures to make it, well, just too painful, really, to

abuse the free but limited resources. Purple Urchin highly automates their tag using GitHub,

Heroku, and Buddy other three services they're using.

And then they essentially open thousands of accounts.

They have about 130 different Docker images that they use then to run actions in GitHub,

which will allow Purple Urchin to use about 33 hours a month of free compute time

from GitHub.

Now, of course, the compute resource you get within these 33 hours are limited and well, but

the way they make it still work for them is by highly automating everything.

They have like an image, a Docker image that sort of serve as a command control server.

It also proxies all the mining pool connections via that command and control server.

But the lesson overall is that sadly if you offer free resources,

yes, they're going to get abused, then you probably need to be ready for that.

Sisa and the FBI are warning about a ransomware group that they're calling the Dakesin team, if I pronounce this correctly.

This group appears to be targeting healthcare providers and initial access happens via VPN servers,

via previously compromised credentials.

...