Cybersecurity firm Wiz has identified a new cryptojacking campaign, named JINX-0132, that aggressively targets publicly accessible DevOps web servers, including Docker, Gitea, and HashiCorp Nomad. The attackers utilize known vulnerabilities and misconfigurations to deploy mining operations. This incident reportedly marks the first documented case of Nomad vulnerabilities being exploited in the wild. The attackers download necessary tools from GitHub, complicating attribution. The campaign capitalizes on misconfigured Docker API instances, allowing execution of malicious code, while also exploiting vulnerabilities in Gitea, showcasing the evolving landscape of cyber threats in cloud infrastructures.
JINX-0132 exploits known vulnerabilities in publicly accessible DevOps servers like Docker and Nomad for cryptojacking, marking a notable instance of Nomad misconfigurations.
Researchers highlighted that the attackers utilize readily available tools from GitHub, which is a strategic choice to obscure their operations and enhance the difficulty of attribution.
Collection
[
|
...
]