Cybersecurity researchers have discovered a new cryptojacking campaign that’s targeting publicly accessible DevOps web servers such as those associated with Docker, Gitea, and HashiCorp Consul and Nomad to illicitly mine cryptocurrencies.
Cloud security firm Wiz, which is tracking the activity under the name JINX-0132, said the attackers are exploiting a wide range of known misconfigurations and vulnerabilities to deliver the miner payload.
“Notably, this campaign marks what we believe to be the first publicly documented instance of Nomad misconfigurations being exploited as an attack vector in the wild,” researchers Gili Tikochinski, Danielle Aminov, and Merav Bar said in a report shared with The Hacker News.
What sets these attacks further stand out is that the bad actors download the necessary tools directly from GitHub repositories rather than using their own infrastructure for staging purposes. The use of off-the-shelf tools is seen as a deliberate attempt to cloud attribution efforts.
JINX-0132 is said to have compromised Nomad instances that manage hundreds of clients that, given the combined CPU and RAM resources, would cost tens of thousands of dollars per month. This also serves to highlight the computing power that drives the cryptojacking activity.
It’s worth mentioning that abuse of Docker API is a well-known launchpad for such attacks. Just last week, Kaspersky revealed that threat actors are targeting misconfigured Docker API instances to enlist them to a cryptocurrency mining botnet.
Exposed Docker API instances open the door for threat actors to execute malicious code by spinning up containers that mount the host file system or launch a cryptocurrency image by invoking standard Docker endpoints like “/containers/create” and “/containers/{id}/start.”
Wiz said the threat actors are also taking advantage of either a vulnerability (e.g., CVE-2020-14144) or misconfiguration in Gitea, a lightweight open-source solution for hosting Git repositories, to obtain an initial foothold in the target.
Specifically, it has been found that publicly exposed instances of Gitea are vulnerable to remote code execution if the attacker has access to an existing user with permission to create git hooks, they are running version 1.4.0, or the installation page was left unlocked (i.e., INSTALL_LOCK=false).
HashiCorp Consul, likewise, could pave the way for arbitrary code execution if the system is not properly configured and it permits any user with remote access to the server to register services and define health checks, which, in turn, can include a bash command that will be executed by the registered agent.
“In the campaign orchestrated by JINX-0132, they abused this capability to add malicious checks that, in practice, simply execute mining software,” Wiz said. “JINX-0132 adds multiple services with seemingly random names whose real purpose was to download and run the XMRig payload.”
JINX-0132 has also been observed exploiting misconfigurations in publicly-exposed Nomad server API to create multiple new jobs on compromised hosts that are responsible for downloading the XMRig miner payload from GitHub and executing it. The attacks hinge on the fact that Nomad is not secure-by-default to create and run these jobs.
“This default configuration effectively means that unrestricted access to the server API can be tantamount to remote code execution (RCE) capabilities on the server itself and all connected nodes,” Wiz said.
According to data from Shodan, there are over 5,300 exposed Consul servers and more than 400 exposed Nomad servers across the world. A majority of the exposures are concentrated around China, the United States, Germany, Singapore, Finland, the Netherlands, and the United Kingdom.