Security control could be rolled out more widely if it fails to halt rise in abuse

GitLab tackles crypto-mining abuse with payment card checks for free accounts

UPDATED A surge in crypto-mining abuse on GitLab has prompted the DevOps platform to mandate that even customers with free accounts must include payment card details in order to use its pipeline services.

The San Francisco-based company says it has introduced the measure in part because the problem was creating “performance issues”.

“Recently, there has been a massive uptick in abuse of free pipeline minutes available on and on other CI/CD providers to mine cryptocurrencies,” said GitLab in a blog post announcing the change.

Read the latest DevSecOps news from around the world

“In addition to the cost increases, the abuse creates intermittent performance issues for users and requires our teams to work 24/7 to maintain optimal services for our customers and users.”

Wayne Haber, director of engineering at GitLab, told The Daily Swig that “the scale of the abuse goes up and down over time based on” mitigations put in place by CI/CD vendors and “fluctuations in the value of the cryptocurrencies”.

As of yesterday (May 17), GitLab said it “will require new free users to provide a valid credit or debit card number in order to use shared runners on”.

The payment cards will not be charged but instead will be verified with a one-dollar authorization transaction.

New, free SaaS users who decline to provide card details will not have access to any GitLab features relying on pipelines, unless they use their own runner and disable shared runners.

“Although imperfect, we believe this solution will reduce the abuse,” the company explained.

Scope for expansion

Users who created a GitLab account before May 17 will be exempt from the new security control, along with GitLab self-managed users, and paying or program users.

However, GitLab said it was ready to widen the scope of the new measure if the changes fail to have the desired effect.

“If we continue to see abuse through existing free accounts, we plan to extend the requirement to additional users,” it explained.

Wayne Haber commented: “A number of months ago when the abuse first occurred, there were isolated performance issues. We quickly resolved the incident and made it public per our value of transparency.

He continued: “As they adapt, we adapt. We will continue to respond and adapt so that our users are not impacted.”

READ MORE Microsoft releases free online ‘playbooks’ to help businesses defend against cyber-attacks

GitLab said previous measures it had taken to deter illicit crypto-mining had been “helpful” but “not sufficient” in achieving this aim.

These have included failing pipelines and the creation of jobs when pipeline minutes quotas are exceeded, restrictions to the creation of namespaces via the API, enabling the termination of pipelines when blocking users, and preventing pipelines from running if owned by blocked users.

The software development organization has also closed gaps between jobs running through user accounts deleted by users, and enhanced its external pipeline validation service.

“We believe using pipeline minute quotas as the foundation for free minute usage will be the best mechanism for failing jobs and pipelines to stop abuse,” said GitLab.

Non-paying GitLab users can use up to 400 free CI/CD minutes each month.

Colossal energy consumption

Crypto-mining, or cryptocurrency mining, verifies cybercurrency transactions by leveraging the processing power of computers to solve complex mathematical problems.

Cybercriminals can profit from the technique by infecting target machines with ‘cryptojacking’ malware and corralling them into botnets that generate illicit profits from these transactions.

Haber said mooted changes to how cryptocurrencies are validated could be a game-changer.

“Most cryptocurrency mining requires significant CPU compute power for doing ‘proof of work’ operations. This takes significant power and cooling for those doing this at scale,” he explained. “It also encourages abusers to steal CPU power.

“Some cryptocurrencies are planning to move away from current methods of validation to ‘proof of stake’ operations which require much less compute resources. If successful, this will not only reduce the costs and environmental impact of cryptocurrencies, but also should reduce the incentive for abusers to steal compute resources.”

It could also boost the value of cryptocurrencies, given how Bitcoin’s value plunged last week after Tesla co-founder Elon Musk said the electric car maker would no longer accept the cryptocurrency as payment because its colossal energy consumption was hampering the fight against climate change.

This article was updated on May 19 with the addition of comments from Wayne Haber of GitLab.

RELATED Vulnerability in Nagios XI exploited by cryptojacking crooks to hijack systems