Researchers claim to have discovered the first case of threat actors using misconfigured HashiCorp Nomad deployments as an attack vector.
The popular DevOps platform, which enables firms to deploy and manage containers and non-containerized applications, is being targeted alongside other infrastructure, including Gitea, Consul and Docker API, according to cloud security provider Wiz.
The threat group in question, named by Wiz as JINX-0132, is exploiting misconfigurations and vulnerabilities in these DevOps tools for cryptojacking, the report claimed.
Based on Wiz data, a quarter (25%) of all cloud environments run at least one of the targeted technologies. Of the environments using these tools, 5% expose them directly to the internet, and among these deployments, 30% are apparently misconfigured.
Read more on cryptojacking: Malicious Microsoft VS Code Extensions Used in Cryptojacking Campaign
JINX-0132 attackers are taking advantage of Nomad’s job queue feature, which allows users to submit tasks for execution by nodes registered with the Nomad server.
“By default – and critically, if not reconfigured by administrators – any user with access to the Nomad server API can create and run these jobs. This default configuration effectively means that unrestricted access to the server API can be tantamount to remote code execution (RCE) capabilities on the server itself and all connected nodes,” Wiz said.
In this way, the threat actors create multiple new jobs on compromised hosts to download the XMRig miner directly from its public GitHub repository, unpack the archive, grant execution permissions and execute.
They are also abusing another HashiCorp tool, Consul, which is designed to help DevOps teams secure network connectivity between services and across on-premises and multi-cloud environments and runtimes.
Specifically, they are hijacking the health check service to execute bash commands and download and run XMRig payloads.
“Unless ACLs [access control lists] have been configured or security features provided by HashiCorp have been enabled, any user with remote access to the server can register services and health checks and abuse this functionality for remote code execution,” Wiz warned.
JINX-0132 is also exploiting CVE-2020-14144 in older versions of open source GitHub alternative Gitea, as well as misconfigured versions of Docker Engine API. In the latter case, they have been able to create containers that launch crypto-miner images, according to the report.
Best Practices for DevOps
To avoid becoming another JINX-0132 victim, Wiz urged customers of the aforementioned DevOps tools to do the following:
- Nomad: Implement the ACLs and other security features listed in the Security Model section of the official documentation
- Gitea: Keep public Gitea instances up to date to prevent exploitation of RCE vulnerabilities, and don’t enable git hooks or leave the installation unlocked unless absolutely necessary
- Consul: Switch on the security features listed in the Secure Consul section of the official documentation, including disabling script checks, and restricting the HTTP API to bind only to “localhost” where possible
- Docker API: Do not bind the Docker API to 0.0.0.0, and don’t expose the API to the internet
