Cybersecurity researchers have discovered a new cryptojacking campaign that’s targeting publicly accessible DevOps web servers such as those associated with Docker, Gitea, and HashiCorp Consul and Nomad to illicitly mine cryptocurrencies.
Cloud security firm Wiz, which is tracking the activity under the name JINX-0132, said the attackers are exploiting a wide range of known misconfigurations and vulnerabilities to deliver the miner payload.
“Notably, this campaign marks what we believe to be the first publicly documented instance of Nomad misconfigurations being exploited as an attack vector in the wild,” researchers Gili Tikochinski, Danielle Aminov, and Merav Bar said in a report shared with The Hacker News.
What sets these attacks further stand out is that the bad actors download the necessary tools directly from GitHub repositories rather than using their own infrastructure for staging purposes. The use of off-the-shelf tools is seen as a deliberate attempt to cloud attribution efforts.
JINX-0132 is said to have compromised Nomad instances that manage hundreds of clients that, given the combined CPU and RAM resources, would cost tens of thousands of dollars per month. This also serves to highlight the compute power that drives the cryptojacking activity.
It’s worth mentioning that abuse of Docker API is a well-known launchpad for such attacks. Just last week, Kaspersky revealed that threat actors are targeting misconfigured Docker API instances to enlist them to a cryptocurrency mining botnet.
Exposed Docker API instances open the door for threat actors to execute malicious code by spinning up containers that mount the host file system or launch a cryptocurrency image by invoking standard Docker endpoints like “/containers/create” and “/containers/{id}/start.”
Wiz said the threat actors are also taking advantage of either a vulnerability (e.g., CVE-2020-14144) or misconfiguration in Gitea, a lightweight open-source solution for hosting Git repositories, to obtain an initial foothold in the target.
Specifically, it has been found that publicly exposed instances of Gitea are vulnerable to remote code execution if the attacker has access to an existing user with permission to create git hooks, they are running version 1.4.0, or the installation page was left unlocked (i.e., INSTALL_LOCK=false).
HashiCorp Consul, likewise, could pave the way for arbitrary code execution if the system is not properly configured and it permits any user with remote access to the server to register services and define health checks, which, in turn, can include a bash command that will be executed by the registered agent.
“In the campaign orchestrated by JINX-0132, they abused this capability to add malicious checks that, in practice, simply execute mining software,” Wiz said. “JINX-0132 adds multiple services with seemingly random names whose real purpose was to download and run the XMRig payload.”
JINX-0132 has also been observed exploiting misconfigurations in publicly-exposed Nomad server API to create multiple new jobs on compromised hosts that are responsible for downloading the XMRig miner payload from GitHub and executing it. The attacks hinge on the fact that Nomad is not secure-by-default to create and run these jobs.
“This default configuration effectively means that unrestricted access to the server API can be tantamount to remote code execution (RCE) capabilities on the server itself and all connected nodes,” Wiz said.
According to data from Shodan, there are over 5,300 exposed Consul servers and more than 400 exposed Nomad servers across the world. A majority of the exposures are concentrated around China, the United States, Germany, Singapore, Finland, the Netherlands, and the United Kingdom.
Attacker Exploits Internet-exposed Open WebUI System to Run Miner
The disclosure comes as Sysdig revealed details of a malware campaign targeting Linux and Windows by exploiting a misconfigured system hosting Open WebUI to upload an artificial intelligence (AI)-generated Python script and ultimately deliver cryptocurrency miners.
“The exposure to the internet allowed anyone to execute commands on the system — a dangerous mistake attackers are well aware of and actively scanning for,” security researchers Miguel Hernandez and Alessandra Rizzo said in a report shared with the publication.
“Once the attackers discovered the exposed training system, they began using Open WebUI Tools, a plugin system used to enhance LLM capabilities. Open WebUI allows Python scripts to be uploaded so that LLMs can use them to extend their functionality. Once uploaded as an Open WebUI Tool, the malicious Python code was executed.”
The Python code, Sysdig said, is designed to download and execute cryptocurrency miners like T-Rex and XMRig, creates a systemd service for persistence, and utilizes a Discord webhook for command-and-control (C2). The malware also incorporates libraries such as processhider and argvhider to hide the mining process on Linux systems and serves as a defense evasion tactic.
On compromised Windows systems, the attack proceeds along similar lines, but also entails the deployment of the Java Development Kit (JDK) in order to execute a JAR file (“application-ref.jar”) downloaded from 185.208.159[.]155. The JAR file, for its part, serves as a Java-based loader to run a secondary JAR payload.
The attack chain culminates with the execution of two files “INT_D.DAT” and “INT_J.DAT,” the latter of which is equipped to steal credentials associated with Discord and cryptocurrency wallet extensions installed in Google Chrome.
Sysdig said there are more than 17,000 Open WebUI instances that are accessible over the internet. However, it’s not clear how many are actually misconfigured or susceptible to other security weaknesses.
“Accidental misconfigurations where systems like Open WebUI are exposed to the internet remain a serious problem,” the researchers said. “The attacker also targeted both Linux and Windows systems, with the Windows version including sophisticated infostealer and evasion techniques.”
