- Security researchers Wiz find four major DevOps tools being abused
- The misconfigurations allow threat actors to deploy cryptocurrency miners
- A quarter of all instances are at risk, so users should be on their guard
Cybercriminals have been spotted abusing misconfigurations in popular public DevOps tools to deploy cryptocurrency miners – generating valuable tokens, while raking up huge electricity and computing bills for their victims.
Security researchers from Wiz Threat Research spotted the campaign and attributed it to a threat actor named JINX-0132.
Apparently, the crooks target many DevOps tools, but four stood out: Nomad, Consul, Docker Engine API, and Gitea.
Mitigation measures
The first two are built by HashiCorp: Nomad is a workload orchestrator that schedules and manages the deployment of containers, virtual machines, and standalone applications across clusters, while Consul is a service networking solution that provides service discovery, health checking, configuration, and segmentation for distributed applications.
Docker Engine API is a RESTful API that allows developers and automation tools to interact with the Docker daemon to manage containers, images, networks, and volumes, and Gitea is a self-hosted Git service that provides source code hosting, issue tracking, code review, and collaborative development tools through a web interface.
“Misconfiguration abuse by threat actors can often go under defenders’ radar, especially if the affected application isn’t well known as an attack vector,” the researchers explained.
“A key characteristic of JINX-0132’s methodology is the seemingly deliberate avoidance of any unique, traditional identifiers that could be used by defenders as Indicators of Compromise. Instead of utilizing attacker-controlled servers for payload delivery, they download tools directly from public GitHub repositories.”
The problem seems to be quite widespread, too, as up to a quarter of all cloud users could be exposed. In the report, the researchers said that 25% of all cloud environments are running at least one of the four technologies listed above. What’s more, at least 20% are running HashiCorp Consul.
“Of those environments using these DevOps tools, five percent expose them directly to the Internet, and among those exposed deployments, 30 percent are misconfigured,” the team concluded.
To mitigate the risks, companies should implement strict access controls, conduct regular security audits, and perform frequent vulnerability assessments. Furthermore, they should not stall on applying patches, and should monitor their systems for abnormal resource usage.
Finally, they should secure DevOps environments against misconfigurations, restrict unauthorized command execution, and strengthen their authentication measures.
Via The Register
Leave a comment