Cloudy with a Chance of Unusually High Bills
Credential stuffing attacks on a high-profile cloud service account for cryptocurrency mining
On Thursday, February 23, 2023, Kara, a 46-year-old from Glendale, California, started her day like any other. She woke up around 5:30 am, practiced some yoga, made coffee, prepared avocado toast, packed her lunch, and got ready for work while listening to NPR’s Morning Edition on KCRW 89.9FM. By 7:30 am, she was on her way to her job as the Chief Financial Officer (CFO) of a financial institution in downtown Los Angeles.
After a typical workday, she left around 4:30 pm and went to her mother’s condo on Olympic Boulevard. They spent time together over a home-cooked dinner. At 6:00 pm, they walked to the nearby Crypto.com Arena to watch the basketball game between the Golden State Warriors and the Los Angeles Lakers. With the tip-off shortly after 7:00 pm, Kara and her mom had plenty of time to settle in before the game started.
Contents
Kara at the game—February 23, 2023
An Unusually High Bill
Background: PurpleUrchin
All Units Be Advised—February 24, 2023
What the IT Security Team Found
Mitigation and Response
Kara’s Review Session (Lessons Learned)
An Unusually High Bill
During halftime, Kara checked her phone and saw a new email from one of her team members, a financial controller who manages company expenses. The email mentioned an unusually high bill from their cloud service provider and needed immediate attention to review the changes and decide what to do next. The timing wasn’t great, making it an urgent issue right in the middle of an exciting basketball game. Kara quickly replied and scheduled a meeting with the controller for the next morning.
The basketball game ended around 9:30 pm—the Lakers beat the Warriors 124-111. Kara and her mom made their way out of the crowded arena, and after walking her mom back to her condo, Kara started the long drive back home to Glendale in light rain, still thinking about the email from her controller.
Background: PurpleUrchin
A cyber threat group called PurpleUrchin, likely based in South Africa, has gained attention for its unique cybercrime tactics. They primarily use credential stuffing attacks to break into cloud service accounts, targeting organizations with large cloud infrastructure.
PurpleUrchin also uses a technique called “freejacking,” where they exploit free or trial-based cloud services for large-scale cryptocurrency mining. They frequently use platforms like GitHub, Docker Hub, and Heroku, creating many fake accounts using stolen or fake credit card information to avoid paying for services.
Once they access these cloud accounts, either through the free trials or credential stuffing, PurpleUrchin automates account creation and deploys crypto mining software rapidly—up to five accounts per minute. They minimize activity on each compromised account to avoid detection and maximize their mining efforts. They also use techniques like bypassing CAPTCHA and disguising mining software to evade detection by cloud providers and security teams.
In essence, PurpleUrchin uses these fake and compromised accounts in “Play and Run” tactics, using cloud resources without paying for them, allowing them to mine cryptocurrencies and manage their operations across various cloud platforms.
All Units Be Advised—February 24, 2023
The next day, Friday, February 24, 2023, Kara was on the phone with her financial controller before getting on Interstate 5, heading south to her downtown Los Angeles office. They quickly realized the seriousness of the situation and planned a coordinated response to stop further unauthorized access and financial losses.
Kara’s company, a financial institution, relies heavily on cloud services for data storage, transaction processing, and financial analytics.
Once Kara arrived at the office, the financial controller alerted the IT department, making sure senior staff knew about the potential security breach. Kara then informed the CEO and the board of directors about the possible financial impact and the steps being taken to investigate.
Kara assembled an internal investigation team, including:
IT Security: to find out how their cloud service account was compromised.
Finance: led by the financial controller, to audit recent transactions and billing data to determine the financial impact.
Legal and Compliance: to evaluate any legal issues, including breaches of data protection laws.
Communications: to handle internal and external messaging, ensuring consistent communication without causing unnecessary alarm.
Over the next few weeks, the IT security team conducted a thorough investigation, using forensic tools to trace the breach’s origin by analyzing access logs and system changes. They also implemented immediate security measures, like changing passwords and enhancing protocols. Kara approved additional budget for cybersecurity improvements suggested by the IT team.
The finance team reviewed transaction logs to spot any other suspicious activities. The financial controller set up real-time monitoring of billing and access logs to quickly detect any further issues. She also scheduled regular updates for Kara to keep the CEO, board of directors, and other stakeholders informed about the investigation’s progress and any new risks.
What The IT Security Team Found
The IT security team found signs of “unauthorized access” during an initial review of account activities.
On February 23, 2023, the financial controller noticed an unusually high bill from the cloud service provider. A review of access logs from early February revealed multiple failed login attempts starting around February 11-12, 2023 (a weekend), followed by successful logins from unfamiliar IP addresses during that same weekend.
The attackers likely used a list of previously breached credentials bought from the dark web. They gained access after many attempts, taking advantage of the absence of account lockout measures after repeated failed logins.
The IT security team used specialized tools to filter and analyze login attempts, source IPs, and timestamps. They also integrated threat intelligence to identify and confirm IP addresses linked to malicious activities.
The logs revealed a pattern of failed logins with different username and password combinations, followed by a surge of successful logins. Further analysis showed the login attempts came from countries not connected to the financial institution’s operations—specifically South Africa and some Eastern European countries.
The team also employed machine learning models to detect unusual login patterns and flag high-risk attempts. They used User Behavior Analytics (UBA) to profile typical user behaviors and spot deviations that could indicate a breach.
The team captured network traffic during the attack period, examining packets for any signs of data theft or unauthorized movement within the network.
Alerts from endpoints highlighted unusual processes and network requests, leading the team to isolate affected machines for deeper forensic analysis, including memory and disk investigations.
Working with the financial team, the IT team compared expected cloud service usage with the unauthorized deployment of resources after the breach. The financial team traced unexpected costs back to services activated after the weekend of February 11-12, 2023.
After weeks of thorough investigation using endpoint logs, network logs, and multiple threat intelligence sources, the IT security team confidently concluded that attackers, using infrastructure in South Africa and Eastern Europe, compromised the financial institution’s cloud service account for crypto mining.
To recap:
Attackers launched a credential stuffing attack on the financial institution in Los Angeles during the weekend of February 11-12, 2023.
The financial controller noticed unusually high cloud service usage on the next billing cycle on February 23.
The internal security team started a detailed audit and activated incident response on February 25.
Mitigation and Response
The breach highlighted the urgent need for stronger security in cloud systems. The IT security team suggested the following steps:
Multi-Factor Authentication (MFA): to provide an additional layer of security beyond passwords.
Account Lockout Policies: to prevent brute force attacks by locking out accounts after several failed login attempts.
Regular Audits and Monitoring: to detect and respond to anomalies in real-time.
Employee Training: regular training sessions on cybersecurity best practices and phishing attack awareness.
Kara’s Review Session (Lessons Learned)
Months later, after the situation was contained and the recommendations were put into practice and refined over several weeks, Kara and her financial controller held a review session with all the teams involved in the investigation. They discussed the incident and evaluated how well they had responded. As a result, they made significant updates to company policies and controls related to cloud security and financial oversight. They also thoroughly revised the financial institution’s cybersecurity strategies, adding advanced predictive analytics and AI-driven threat detection to strengthen their defenses against future attacks.
If you like what you just read, let’s connect on LinkedIn or buy me a coffee.
P.S. If you enjoyed this post please consider sharing it. That’s how I meet new people, build my network, and then have more opportunities to work on investigations that produce stories like this one!