South Africa-based hackers steal resources worth millions from Microsoft and Salesforce

Security researchers at Palo Alto Networks’ Unit 42 have published a detailed report on a hacking group based in South Africa called Automated Libra.

Automated Libra is behind a campaign dubbed PurpleUrchin that mass-exploited free trials for cloud computing resources to mine cryptocurrency.

Unit 42’s William Gamazo and Nathaniel Quist defined freejacking as using free or time-limited trials of cloud resources for cryptocurrency mining.

Sysdig Threat Research Team first reported on the group’s freejacking campaign in October last year.

However, according to Unit 42’s report, Automated Libra’s campaign didn’t stop at abusing the limited free trials of platforms like Microsoft-owned Github and Salesforce-owned Heroku.

The researchers said the group also engaged in credit card fraud.

This allowed them to rack up cloud service bills for which they ultimately didn’t pay.

Hearkening to phrases like “dine and dash” and “hit and run”, Unit 42 calls this practice “Play and Run”.

While the individual bills were relatively small, Automated Libra found ways to automatically create thousands of accounts through which they could steal resources.

“Although one of the largest unpaid balances we found was $190 USD, we suspect the unpaid balances in other fake accounts and cloud services used by the [threat] actors could have been much larger due to the scale and breadth of the mining operation,” Unit 42 stated.

They found that during September and November 2022, Automated Libra created 22,380 Github accounts.

If each of these racked up an unpaid bill of $100, that comes to over $2 million (R34 million) of alleged credit card fraud.

This excludes the 100,723 Heroku accounts the group created from November 2021 to July 2022.

Unit 42’s researchers highlighted a specific technique the group used to defeat the CAPTCHA anti-bot protection Github employed.

Github account creation and CAPTCHA challenge

To create a new account, the CAPTCHA challenge asks users to identify spiral galaxies.

For this, Automated Libra used two ImageMagick tools: convert and identify.

Images were converted into red, green, and blue complemented versions of themselves using the convert tool.

The identify command was then executed over each image to extract the “skewness” feature of the red colour channel.

Converting images to an RBG complement

Unit 42 said it did not evaluate how effective this automatic CAPTCHA-solving technique was.

However, the number of accounts the group created in a month speaks for itself.

The researchers said they identified over 40 individual crypto wallets and seven different cryptocurrencies or tokens used within the PurpleUrchin operation.

“We also identified that specific containerised components of the infrastructure the actors created were not only designed to perform mining functionality, but they also automated the process of trading the collected cryptocurrencies,” they said.

Unit 42 found that Automated Libra sold their mined cryptocurrencies through several trading platforms, such as CRATEX ExchangeMarket, crex24, and Luno.

MyBroadband asked Luno if any affected parties had alerted it to Automated Libra and PurpleUrchin.

Luno South Africa country manager Christo de Wit said they haven’t been contacted by any affected parties.

We also asked if Luno’s know-your-customer (i.e. FICA-like) systems could help unmask the people behind the wallets Unit 42 had identified.

“Yes, with our KYC processes, we are able to provide relevant information to law enforcement agencies who request it while investigating this type of incident,” De Wit said.

“Our FinCrime team also actively monitors transactions in accordance with regulations.”


Now read: Best high tech devices to defend your home against robbers and burglars

Latest news

Partner Content

Show comments

Recommended

Share this article
South Africa-based hackers steal resources worth millions from Microsoft and Salesforce