CyberSecurity news
FlagThis - #cryptojacking
|
@Wiz Blog | RSS feed
//
A widespread cryptojacking campaign is targeting misconfigured DevOps infrastructure, including Nomad, Consul, Docker, and Gitea, to illicitly mine Monero cryptocurrency. The attackers, tracked as JINX-0132, are exploiting known misconfigurations and vulnerabilities in publicly accessible web servers to deploy mining software. This campaign marks the first publicly documented instance of Nomad misconfigurations being exploited as an attack vector.
The JINX-0132 group uniquely avoids traditional identifiers, downloading tools directly from public GitHub repositories, including standard release versions of XMRig. This "living-off-open-source" approach complicates detection and clustering of their activities. They abuse insecure configurations and vulnerable software versions to hijack DevOps web servers. HashiCorp Nomad and Consul, Docker API, and Gitea servers are being targeted. Affected Nomad instances can manage hundreds of clients, representing significant compute power. To prevent such attacks, organizations are advised to review their configurations, activate security features like access control lists (ACLs) for Nomad, and properly configure Consul to prevent unauthorized access and resource utilization.
Share:
References :
Classification:
Aminu Abdullahi@eSecurity Planet
//
Cybersecurity researchers are raising alarms about a new, sophisticated cryptojacking campaign called RedisRaider, which targets publicly accessible Redis servers running on Linux. Discovered by Datadog Security Labs, RedisRaider employs an aggressive and technically complex attack chain to deploy Monero miners on compromised systems. The malware uses a custom-built scanner to identify vulnerable Redis servers across the internet, exploiting weak configurations to execute malicious cron jobs that download and run the primary payload.
The attackers behind RedisRaider have implemented advanced techniques to evade detection and analysis. The malware is written in Go and heavily obfuscated using a tool called Garble, hiding key functions within the code. Additionally, RedisRaider employs anti-forensic measures such as short key time-to-live (TTL) settings to erase traces, writing temporary files to cron directories to blend with system processes, and deleting keys and logs after execution to cover its tracks. These tactics make it challenging for security professionals to detect and analyze the malicious activity. Datadog's investigation uncovered that the same infrastructure used for the server-level attacks also hosted a web-based Monero miner, indicating a multi-pronged revenue generation strategy. The attackers generate income not only from hijacked Linux servers but also from unsuspecting website visitors. Experts emphasize the need for proper configuration and security measures for publicly accessible Redis servers, including strong authentication and access controls, to prevent RedisRaider and similar cryptojacking campaigns from compromising systems and stealing resources.
Share:
References :
Classification:
|