A new cryptojacking campaign is actively targeting publicly accessible DevOps web servers like Docker, Gitea, and HashiCorp Consul and Nomad. Cloud security firm Wiz is tracking this widespread activity under the name JINX-0132, reporting that attackers exploit known misconfigurations. They also leverage various vulnerabilities to successfully deliver their cryptocurrency miner payload to the compromised systems. This campaign notably marks the first publicly documented instance where Nomad misconfigurations are being exploited as an active attack vector. These types of overlooked misconfigurations often go unnoticed by security defenders, especially when the involved tools are not widely seen as likely targets.
What further distinguishes these ongoing attacks is that the bad actors download necessary tools directly from public GitHub repositories. They deliberately avoid using their own infrastructure for any staging purposes, which is a common tactic for other groups. The use of such readily available off-the-shelf tools is seen as a deliberate attempt by JINX-0132. This specific methodology aims to significantly cloud attribution efforts and make it harder to track their malicious activities. Some of the compromised Nomad instances were found to manage hundreds of clients, highlighting the potential scale and compute power. This stolen compute power then directly drives the illicit cryptojacking activity, generating profit for the attackers.
The JINX-0132 threat actors are also taking advantage of vulnerabilities or misconfigurations in Gitea, a lightweight open-source Git solution. Publicly exposed Gitea instances can be vulnerable to remote code execution if certain conditions are met by the attackers. Similarly, HashiCorp Consul could allow arbitrary code execution if the system is not properly configured by its administrators. JINX-0132 abused this Consul capability to add malicious health checks that, in practice, simply execute their mining software. They have also been observed exploiting misconfigurations in publicly-exposed Nomad server APIs to create multiple new jobs on compromised hosts.
These jobs are then responsible for downloading the XMRig miner payload from GitHub and subsequently executing it.
This concerning disclosure arrives as Sysdig has also revealed details of a separate malware campaign targeting both Linux and Windows systems. That campaign exploits misconfigured systems hosting Open WebUI to upload an AI-generated Python script for malicious purposes. This script ultimately delivers cryptocurrency miners like T-Rex and XMRig, creates systemd services for persistence, and utilizes Discord webhooks. The widespread exposure of DevOps tools presents a significant risk, with Shodan data showing thousands of exposed Consul and Nomad servers. Many of these exposed instances are hosted on major cloud platforms, indicating a broad attack surface for such cryptojacking campaigns globally.
Reference:
