Full Report
JINX-0132 targets exposed Nomad servers lacking ACL protections by submitting malicious jobs through the API, effectively gaining remote code execution. These jobs download and run the XMRig miner from public GitHub releases, bypassing traditional IOC-based detection. Gitea in...
Analysis Summary
# Tool/Technique: JINX-0132 Campaign Activities (Focusing on Initial Access and Execution)
## Overview
JINX-0132 is a cryptojacking campaign that targets misconfigured DevOps tools, specifically Nomad, Gitea, and Consul servers that lack proper security controls (like ACLs). The primary goal is resource hijacking via the deployment of the XMRig cryptocurrency miner.
## Technical Details
- Type: Campaign / Technique Set
- Platform: Linux (Targeting various DevOps server deployments)
- Capabilities: Remote Code Execution (RCE) via API abuse, automated software download and execution, circumvention of IOC-based detection by using legitimate external sources.
- First Seen: Circa June 2, 2025 (based on publication date)
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1190 - Exploit Public-Facing Application
- T1133 - External Remote Services (Through misconfigured APIs/exposures)
- **TA0002 - Execution**
- T1059 - Command and Scripting Interpreter
- T1059.004 - Command and Scripting Interpreter: Unix Shell
- **TA0011 - Persistence** (Implied via persistent mining activity)
- **TA0008 - Lateral Movement** (If Consul/Docker exploitation leads to host file system access)
## Functionality
### Core Capabilities
* **Nomad Job Submission:** Submits malicious jobs via the exposed Nomad API (lacking ACLs) to achieve Remote Code Execution (RCE).
* **XMRig Deployment:** The malicious job downloads and executes the XMRig miner from public GitHub releases.
* **Gitea Exploitation:** Leverages outdated versions containing known RCEs (e.g., CVE-2020-14144) or weak default settings to gain initial access.
* **Consul Abuse:** Exploits the health check registration feature, which allows the execution of bash commands, for remote software installation and execution.
### Advanced Features
* **Evasion:** Bypasses traditional IOC-based detection by fetching the final payload (XMRig) directly from well-known, legitimate sources (public GitHub releases), making simple signature matching ineffective.
* **Docker Escalation:** Exploits exposed Docker APIs (e.g., `tcp://0.0.0.0:2375`) to spin up mining containers or mounts host file systems for persistence/privilege escalation.
## Indicators of Compromise
* File Hashes: N/A (Payload downloaded dynamically)
* File Names: XMRig (as the downloaded mining software)
* Registry Keys: N/A
* Network Indicators: Focus is on the initial access vectors (DevOps APIs), not centralized C2 post-compromise for the miner payload itself.
* Behavioral Indicators: Submitting unauthenticated or unauthorized jobs to the Nomad API endpoint (`/v1/jobs`), unexpected execution of shell commands via Consul health check registration.
## Associated Threat Actors
* JINX-0132 (Campaign Identifier)
## Detection Methods
* **Signature-based detection:** Ineffective against the XMRig payload itself due to use of legitimate GitHub releases. Potential signatures exist for the *specific* Nomad job submission structure or Consul health check payload, if known.
* **Behavioral detection:** Monitoring for unauthorized API invocations against Nomad, monitoring for shell command execution via Consul health checking features, and detection of the XMRig process activity post-execution.
* **YARA rules:** Not specified in the context.
## Mitigation Strategies
* **Nomad:** Enforce mandatory ACLs on all Nomad servers to prevent unauthorized job submissions via the API.
* **Gitea:** Keep Gitea instances patched against known RCEs (e.g., CVE-2020-14144) and enforce secure post-installation configurations.
* **Consul:** Restrict access to the health check registration feature or ensure proper authentication/authorization controls are in place to prevent arbitrary bash execution.
* **Docker:** Never expose the Docker daemon API socket externally (e.g., `tcp://0.0.0.0:2375`) without strong authentication (TLS).
## Related Tools/Techniques
* XMRig (Cryptomining payload)
* Exploitation stemming from CVE-2020-14144 (Gitea vulnerability)