Thought Leadership
Security researchers at Wiz have uncovered a new campaign called JINX-0132, in which publicly accessible DevOps systems such as Docker, Gitea, HashiCorp Consul and Nomad are specifically compromised in order to mine cryptocurrencies such as Monero.
The perpetrators use known misconfigurations and vulnerabilities to infiltrate malicious code in the form of mining software.
Abuse of Nomad documented for the first time
A special feature of the campaign: for the first time, the exploitation of misconfigurations in HashiCorp Nomad was documented. The attackers exploited open API access to start their own processes on the target systems via so-called “jobs”. These jobs download the XMRig mining software directly from GitHub and execute it. The systems managed by Nomad often have immense computing capacity – their use by the attackers would regularly incur costs in the five-digit range per month.
GitHub as a cover for malware
Instead of using their own servers to distribute the malware, the perpetrators deliberately rely on freely accessible GitHub repositories. This strategy makes it difficult to clearly assign the origin of the attacks – a deliberate step towards concealment.
Gitea, a Git hosting solution, is also exploited for initial access. In certain versions (e.g. 1.4.0) or when installation mode is not locked, code can be executed remotely – especially if an attacker has access to a legitimate user with authorization to set up Git hooks.
Docker remains a popular target: openly accessible Docker APIs allow attackers to launch containers that directly contain mining software or even access the host file system. Common endpoints such as /containers/create or /containers/start are used for this.
Consul servers enable code execution
Misconfigurations in HashiCorp Consul allow attackers to manipulate so-called health checks. These contain bash commands that are then executed on the servers. It has also been observed that mining software has been installed in this way – hidden behind seemingly harmless services.
According to data from Shodan, over 5,300 Consul and 400 Nomad servers are publicly accessible worldwide – particularly in countries such as China, the USA, Germany, Singapore and the Netherlands. This shows how widespread insecure DevOps systems are on the web.
Open WebUI: New gateways via AI plugins
In parallel to JINX-0132, researchers at Sysdig discovered another malware campaign exploiting Open WebUI, an interface for AI plugins. The attackers uploaded a manipulated Python script, which in turn executed mining software such as T-Rex and XMRig. On Linux systems, the mining process was hidden by libraries such as processhider, while a Java loader was also used on Windows systems, which launched further malicious modules.
Another target: access data to Discord and crypto wallets stolen through special files (INT_J.DAT) from Chrome browser extensions.
The current wave of attacks clearly shows how critical unnoticed or incorrectly configured interfaces are in modern DevOps environments. Whether Docker, Gitea, Consul or Open WebUI – as soon as systems are accessible on the internet without appropriate security precautions, they offer an attractive attack surface for cyber criminals. The incidents underline the need for consistent security checks and tougher standard configurations.
