Cybersecurity researchers discover new cryptocurrency jacking campaigns targeting publicly accessible DevOps web servers such as Docker, Gitea, Hashicorp Consul and Nomad, and illegally mine cryptocurrency.
Cloud security company Wiz tracks activities under the name Jinx-0132said the attackers were exploiting a wide range of known false malfunctions and vulnerabilities to provide payloads for miners.
“In particular, this campaign marks what we believe is the first published case of nomadic misconceptions being misused as wild attack vectors,” researchers Giri Tikochinsky, Daniel Aminov and Merab Barr said in a report shared with Hacker News.
What makes these attacks stand out even more is that bad actors download the necessary tools directly from the GitHub repository, rather than using their own infrastructure for staging purposes. The use of ready-made tools is seen as a deliberate attempt to cloud attribution efforts.
JINX-0132 is said to have compromised on a nomadic instance that manages hundreds of clients that cost tens of thousands of dollars a month, given the total CPU and RAM resources. This also helps to highlight the computing power that drives cryptojacking activity.
It is worth mentioning that the exploitation of the Docker API is a well-known launchpad for such attacks. Last week, Kaspersky revealed that threat actors were targeting misconfigured Docker API instances and joining them in cryptocurrency mining botnets.
Spin up containers that mount exposed Docker API instance host filesystems Open the door to execute malicious code by spinning up containers or by invoking standard Docker endpoints like “/containers/creeve” or “/containers/{id}/start” to launch cryptocurrency images.
Wiz said threat actors are also taking advantage of Gitea’s vulnerabilities (e.g. CVE-2020-14144) or the misconceptions of Gitea, a lightweight open source solution for hosting Git repositories, to gain early scaffolding for targets.
Specifically, if an attacker can access an existing user with permission to create a Git hook, if he is running version 1.4.0 or the installation page remains unlocked, then public instances of Gitea are known to be vulnerable to remote code execution (i.e. install_lock = false).
Similarly, HashiCorp Consul can pave the way for arbitrary code execution if the system is not properly configured and users with remote access to the server can register services and define health checks.
“The campaign organized by Jinx-0132 added a malicious check that it abused this ability and actually ran mining software,” Wiz says. “Jinx-0132 adds multiple services with seemingly random names that are actually intended to download and run the Xmrig payload.”
It has also been observed that JINX-0132 exploits false obscurity in the published NOMAD server API to create multiple new jobs on compromised hosts responsible for downloading and running the Xmrig Miner payload from GitHub. The attacks depend on the fact that Nomad is not unsafe to create and run these jobs.
“This default configuration effectively means that unlimited access to the server API can be exposed to the Remote Code Execution (RCE) functionality of the server itself and all connected nodes,” Wiz says.
According to Shodan data, there are over 5,300 exposed consul servers and over 400 exposed Nomad servers worldwide. Most of the exposure is concentrated in China, the US, Germany, Singapore, Finland, the Netherlands and the UK.
Attackers exploit open webUI systems exposed to the internet to run minors
This disclosure comes when Sysdig uncovers details about malware campaigns targeting Linux and Windows by leveraging the misunderstood system that hosts Open WebUI to upload artificial intelligence (AI)-generated Python scripts and ultimately providing cryptocurrency miners.
“The exposure to the internet allowed anyone to execute commands on their systems. A dangerous mistake attacker is a dangerous mistake that is actively scanning,” security researchers Miguel Hernandez and Alessandra Rizzo said in a report shared with the publication.
“When attackers discover an exposed training system, they have started using Open WebUI tool, a plugin system used to enhance LLM functionality. OpenWebUI allows you to upload Python scripts to extend functionality.
According to Sysdig, Python code is designed to download and run cryptocurrency miners like T-Rex and Xmrig, creating a SystemD service for Persistence and using Discord Webhook for command and control (C2). The malware also includes libraries such as Processshider and Argvhider, which hides the mining process on Linux systems and acts as a defense evasion tactic.
On compromised Windows systems, the attacks proceed along a similar line, but also require the deployment of the Java Development Kit (JDK) to run the JAR file (“Application-Ref.jar”). The JAR file, in its part, acts as a Java-based loader that runs the secondary JAR payload.
The attack chain culminates in the execution of two files “int_d.dat” and “int_j.dat” that are equipped to steal credentials related to inconsistencies and cryptocurrency wallet extensions set up in Google Chrome.
Sysdig said there are over 17,000 Open WebUI instances accessible via the internet. However, it is not clear how many other security weaknesses are actually misunderstood or susceptible to them.
“The accidental misconceptions of systems like open WebUI being exposed to the Internet remain a serious problem,” the researchers said. “The attackers targeted both Linux and Windows systems, including Windows versions, including sophisticated Infostealer and Evasion Techniques.”
