A sophisticated cryptojacking campaign dubbed ‘JINX-0132’ is actively targeting publicly accessible DevOps infrastructure to covertly mine cryptocurrency, cybersecurity researchers said.
According to cloud security firm Wiz, the threat actors are compromising services like Docker, Gitea, and HashiCorp’s Consul and Nomad platforms by exploiting known misconfigurations and vulnerabilities. The attackers deploy the XMRig miner to hijack compute resources, costing victims tens of thousands of dollars in stolen CPU and RAM power.
Wiz researchers said that the campaign marks what is believed to be the first publicly documented instance of Nomad misconfigurations being exploited as an attack vector in the wild.
Unlike traditional cryptojacking operations, JINX-0132 relies on public GitHub repositories to download its tools, a tactic designed to obscure attribution and avoid detection.
The campaign leverages a mix of security gaps, including CVE-2020-14144 in Gitea, which enables remote code execution under certain conditions, and misconfigurations in HashiCorp Consul that allow arbitrary command execution. In one tactic, attackers use Consul’s service health check feature to inject mining commands, masquerading as legitimate services.
JINX-0132 also exploits unsecured Nomad APIs to schedule malicious jobs that pull and run the XMRig payload. The default security settings in Nomad are a key weakness, allowing jobs to be created and executed without proper safeguards.
Shodan scans show over 5,300 exposed Consul servers and more than 400 Nomad servers globally, with the highest concentrations in China, the US, Germany, Singapore, and several European countries.
