Full Report
Wiz finds new threat group running cryptojacking campaign via exploited and misconfigured DevOps assets
Analysis Summary
# Threat Actor: JINX-0132
## Attribution & Identity
The threat group is named **JINX-0132** by the cloud security provider Wiz. No further specific attribution (e.g., nation-state, financially motivated cybercriminal entity) is provided in the snippet, but the activity is tied to cryptojacking by exploiting DevOps infrastructure vulnerabilities.
## Activity Summary
JINX-0132 is actively engaged in a **cryptojacking campaign** targeting misconfigured DevOps servers. They are specifically exploiting weaknesses in platforms like HashiCorp Nomad, Gitea, Consul, and Docker API to leverage victim resources for cryptocurrency mining. This is noted as the first discovered case utilizing misconfigured Nomad deployments as an attack vector.
## Tactics, Techniques & Procedures
- Exploiting configurations in DevOps tools (Nomad, Gitea, Consul, Docker API).
- Exploiting HashiCorp Nomad’s job queue feature.
- Using default or misconfigured Nomad server access (API) to submit tasks, which leads to **Remote Code Execution (RCE)** capabilities on the server.
- **Motivation:** Cryptojacking.
## Targeting
- Sectors: DevOps environments running container and application management platforms (Implied: Technology, Cloud Infrastructure). A quarter (25%) of all cloud environments run at least one of the targeted technologies.
- Geography: Not explicitly stated, but targeting cloud infrastructure suggests a broad, global reach.
- Victims: Organizations utilizing HashiCorp Nomad, Gitea, Consul, and Docker API deployments that are exposed to the internet and misconfigured.
## Tools & Infrastructure
- Malware families used: Not explicitly named, but the payload is related to **cryptojacking**.
- Infrastructure (C2, domains, IPs): None explicitly detailed in the provided summary section.
## Implications
The primary implication is the significant risk posed by poor configuration management within critical DevOps tooling. Misconfigurations in widely adopted platforms like Nomad, if exposed to the internet, can directly lead to system compromise approaching RCE capabilities without requiring complex zero-day exploitation. This lowers the barrier for resource hijacking (cryptojacking).
## Mitigations
- **Reconfigure Default Settings:** Administrators must reconfigure Nomad server settings, as the default configuration allowing any user with API access to submit jobs can result in RCE.
- **Restrict API Access:** Ensure that access to the Nomad server API is strictly limited and not fully exposed to the internet.
- **Audit DevOps Tool Exposure:** Review cloud environments to identify any deployments of Nomad, Gitea, Consul, and Docker API that are exposed directly to the public internet (5% of targeted deployments were exposed).