Researchers have recently uncovered a concerning trend in the cybersecurity landscape – threat actors are now targeting misconfigured HashiCorp Nomad deployments as an attack vector. HashiCorp Nomad is a popular DevOps platform that allows organizations to deploy and manage containers and non-containerized applications. Alongside Nomad, other infrastructure components such as Gitea, Consul, and Docker API are also being exploited by a threat group identified as JINX-0132 for cryptojacking activities.
According to a report by cloud security provider Wiz, a significant number of cloud environments, around 25%, are utilizing one or more of the targeted technologies. Shockingly, 5% of these environments expose these tools directly to the internet, and among these exposed deployments, 30% are found to be misconfigured. This creates a ripe opportunity for threat actors to exploit vulnerabilities and misconfigurations in these DevOps tools.
One of the key tactics employed by the JINX-0132 attackers involves leveraging Nomad’s job queue feature, which allows users to submit tasks for execution by nodes registered with the Nomad server. By default, any user with access to the Nomad server API can create and run jobs, potentially leading to remote code execution capabilities on the server and connected nodes if not properly secured.
In addition to Nomad, the threat actors are also misusing Consul, a HashiCorp tool designed to secure network connectivity between services in various environments. By hijacking the health check service within Consul, the attackers can execute malicious commands and download and run crypto-mining payloads.
Furthermore, the attackers are exploiting vulnerabilities such as CVE-2020-14144 in Gitea and misconfigured versions of Docker Engine API to launch crypto-miner images within containers.
To protect against such attacks, Wiz recommends implementing the following best practices for DevOps tools:
- Nomad: Implement ACLs and other security features as outlined in the official documentation’s Security Model section.
- Gitea: Keep public instances up to date to prevent exploitation of RCE vulnerabilities, and avoid enabling git hooks or leaving installations unlocked unless necessary.
- Consul: Activate security features detailed in the Secure Consul section of the official documentation, including disabling script checks and restricting the HTTP API to bind only to "localhost" where feasible.
- Docker API: Refrain from binding the Docker API to 0.0.0.0 and avoid exposing the API to the internet.
By following these best practices and ensuring that DevOps tools are properly configured and secured, organizations can mitigate the risk of falling victim to attacks like those orchestrated by the JINX-0132 threat group. Stay vigilant, stay secure.