CyberSecurity news
FlagThis
@Wiz Blog | RSS feed
//
A widespread cryptojacking campaign is targeting misconfigured DevOps infrastructure, including Nomad, Consul, Docker, and Gitea, to illicitly mine Monero cryptocurrency. The attackers, tracked as JINX-0132, are exploiting known misconfigurations and vulnerabilities in publicly accessible web servers to deploy mining software. This campaign marks the first publicly documented instance of Nomad misconfigurations being exploited as an attack vector.
The JINX-0132 group uniquely avoids traditional identifiers, downloading tools directly from public GitHub repositories, including standard release versions of XMRig. This "living-off-open-source" approach complicates detection and clustering of their activities. They abuse insecure configurations and vulnerable software versions to hijack DevOps web servers.
HashiCorp Nomad and Consul, Docker API, and Gitea servers are being targeted. Affected Nomad instances can manage hundreds of clients, representing significant compute power. To prevent such attacks, organizations are advised to review their configurations, activate security features like access control lists (ACLs) for Nomad, and properly configure Consul to prevent unauthorized access and resource utilization.
ImgSrc: www.datocms-ass
References :
The JINX-0132 group uniquely avoids traditional identifiers, downloading tools directly from public GitHub repositories, including standard release versions of XMRig. This "living-off-open-source" approach complicates detection and clustering of their activities. They abuse insecure configurations and vulnerable software versions to hijack DevOps web servers.
HashiCorp Nomad and Consul, Docker API, and Gitea servers are being targeted. Affected Nomad instances can manage hundreds of clients, representing significant compute power. To prevent such attacks, organizations are advised to review their configurations, activate security features like access control lists (ACLs) for Nomad, and properly configure Consul to prevent unauthorized access and resource utilization.
ImgSrc: www.datocms-ass
Share:
References :
- The Hacker News: Cryptojacking Campaign Exploits DevOps APIs Using Off-the-Shelf Tools from GitHub
- www.scworld.com: Docker, HashiCorp, Gitea servers targeted in cryptojacking campaign
- Wiz Blog | RSS feed: DevOps Tools Targeted for Cryptojacking
- malware.news: Docker, HashiCorp, Gitea servers targeted in cryptojacking campaign
- The Register - Security: Illicit crypto-miners pouncing on lazy DevOps configs that leave clouds vulnerable
- securityaffairs.com: Cryptojacking campaign relies on DevOps tools
- www.csoonline.com: The high cost of misconfigured DevOps tools: Global cryptojacking hits enterprises
- www.it-daily.net: Cryptojacking campaign abuses DevOps APIs with GitHub tools
- Security Risk Advisors: Wiz Discovers JINX-0132 Cryptojacking Campaign Targeting Exposed DevOps Applications with Living-Off-Open-Source Strategy
Classification:
- HashTags: #Cryptojacking #DevOps #CloudSecurity
- Company: Multiple
- Target: DevOps infrastructure
- Product: Nomad, Consul, Docker, Gitea
- Feature: Web Servers
- Malware: XMRig
- Type: Malware
- Severity: Medium