A new campaign by the JINX-0132 threat actor exploits vulnerabilities in publicly accessible DevOps tools to hijack cloud computing resources for illicit cryptocurrency mining.
A recent campaign led by a malicious actor dubbed JINX-0132 has put up to a quarter of all cloud users at risk. This campaign targets publicly accessible DevOps tools, exploiting misconfigurations and vulnerabilities to deploy cryptocurrency mining software, effectively hijacking computing resources for illicit gains.
Wiz Threat Research uncovered this campaign and outlined the tactics employed by JINX-0132, which primarily targets a range of DevOps tools, with a particular preference for HashiCorp's Nomad and Consul tools, alongside Docker API and Gitea. According to Wiz's data, 25% of cloud environments utilize at least one of these technologies, with over 20% employing HashiCorp Consul. The threat lies in the misconfiguration and exposure of these tools. Wiz researchers found that 5% of environments using these DevOps tools directly expose them to the internet, and among these exposed deployments, 30% have security misconfigurations. These vulnerabilities allow JINX-0132 to exploit default settings and bypass security measures. For instance, Nomad's job queue feature, which manages job scheduling and execution, allows any user with access to the Nomad server API to create and run jobs. JINX-0132, leveraging publicly exposed Nomad servers, with default settings lacking security features, took advantage of this, creating malicious jobs that deployed mining software. Similarly, HashiCorp Consul, a networking platform managing connectivity between services, was exploited by JINX-0132 through misconfigured features that allowed remote code execution. Jinx-0132 added malicious checks disguised as legitimate services, ultimately downloading and running the XMRig payload.JINX-0132 also targeted publicly exposed Docker APIs, exploiting vulnerabilities that allow an attacker to execute remote code with the same privileges as the root user. This grants attackers control over Docker containers, enabling them to launch crypto-miners, pivot to other hosts, and even control Docker from within a container. The exact method of exploiting Gitea remains unclear, but Wiz researchers propose several possibilities, including exploiting vulnerabilities in older versions and manually disabling secure settings in newer versions to allow for custom Git Hooks. Exploitation typically requires stealing credentials, but vulnerabilities in the installation process could also grant unauthorized access to reconfigure the system and install mining software. The key takeaway is clear: users must prioritize security by keeping their DevOps tools updated, securing APIs, disabling unnecessary features, and carefully managing access credentials
Cloud Security Devops Crypto Mining Malware Vulnerabilities Remote Code Execution
United Kingdom Latest News, United Kingdom Headlines
Similar News:You can also read news stories similar to this one that we have collected from other news sources.
Aussie expertise extracting more African goldNew mining contracts and renewals highlight growing Australian presence in African mining industry
Read more »
Illicit crypto-miners pouncing on lazy DevOps configs that leave clouds vulnerable: To stop the JINX-0132 gang behind these attacks, pay attention to HashiCorp, Docker, and Gitea security settings
Read more »
Suspected creeps behind DanaBot malware that hit 300K+ computers revealed: And the associated fraud'n'spy botnet is about to be shut down
Read more »
Feds finger Russian behind Qakbot malware that hit 700,000 computers: The FBI thought they shut this all down in 2023, but the duck quacked again
Read more »
DOGE worker's old creds found exposed in infostealer malware dumpsInfosec in brief: PLUS: Celsius scammer sent to slammer; Death-by-hacking victim warns you're never safe; and more
Read more »
Don't click on that Facebook ad for a text-to-AI-video tool: Millions may fall for it - and end up with malware instead
Read more »