A sophisticated cryptojacking campaign is targeting the heart of modern development infrastructure, exploiting misconfigurations in popular DevOps tools to deploy cryptocurrency mining operations at scale. Security researchers at Wiz have uncovered what they’re calling a widespread attack that marks a concerning evolution in how threat actors target development environments.
The campaign, attributed to a threat actor dubbed JINX-0132, represents a calculated shift toward exploiting the very tools that organizations rely on to build, deploy and manage applications. Unlike traditional attacks that focus on end-user systems or generic servers, this operation specifically targets HashiCorp Nomad, Gitea, HashiCorp Consul and Docker API servers. These technologies sit at the core of DevOps workflows.
A New Frontier in Cryptojacking
What makes this campaign particularly noteworthy is its approach to stealth and persistence. Rather than deploying custom malware that security tools might flag, JINX-0132 deliberately avoids unique identifiers that could serve as indicators of compromise. Instead, the threat actor downloads tools directly from public GitHub repositories and uses standard release versions of XMRig, a legitimate mining software, making detection significantly more challenging.
This strategy demonstrates a sophisticated understanding of how modern security tools operate. By blending in with legitimate traffic and using trusted sources for their tools, the attackers can operate under the radar while maximizing their cryptocurrency mining operations across compromised infrastructure.
The Nomad Breakthrough
Perhaps the most significant discovery in this campaign is the first documented exploitation of HashiCorp Nomad as an attack vector. Nomad, a workload orchestrator that helps organizations deploy and manage applications across their infrastructure, has become an attractive target due to its powerful job scheduling capabilities.
The attackers exploit Nomad’s job queue feature, which isn’t secure by default in many deployments. By abusing this functionality, they can create and execute multiple malicious jobs that deploy their mining software across the victim’s infrastructure. This approach is particularly effective because it leverages the platform’s native capabilities, making the malicious activity appear as a legitimate workload management process.
The implications extend beyond just cryptocurrency mining. Once attackers gain access to Nomad’s job scheduling system, they can potentially deploy any workload across an organization’s infrastructure, opening the door for data theft, lateral movement and other malicious activities.
Consul and Docker: Familiar Targets, New Techniques
While Nomad represents new territory, the campaign also targets more established attack vectors with refined techniques. HashiCorp Consul, designed to secure network connectivity between services across on-premises and multi-cloud environments, is being exploited through its health check service functionality.
The attackers hijack Consul’s health check mechanism to execute bash commands and download XMRig payloads. This technique is particularly effective because health checks are a regular part of Consul’s operation, making malicious activity harder to distinguish from legitimate monitoring traffic. Unless organizations have properly configured access control lists or enabled HashiCorp’s security features, any user with remote access can register services and health checks, providing an easy pathway for remote code execution.
The campaign also exploits CVE-2020-14144 in older versions of Gitea, an open-source alternative to GitHub, as well as misconfigured Docker Engine API servers. In Docker environments, the attackers create containers that launch cryptocurrency miner images, effectively turning the victim’s container infrastructure into a distributed mining operation.
The Scale of Risk
The research reveals alarming statistics about the potential attack surface. According to Wiz data, 25% of all cloud environments run at least one of the targeted technologies, with HashiCorp Consul being the most prevalent, running in over 20% of environments. Of those environments using these tools, 5% expose them directly to the internet, and among those exposed deployments, 30% are misconfigured.
These numbers translate to a significant attack surface that threat actors can exploit. The widespread adoption of these DevOps tools, combined with the frequency of misconfigurations, creates an environment where cryptojacking campaigns can operate at scale with minimal risk of detection.
Defense Strategies for DevOps Teams
The good news is that organizations can take concrete steps to protect themselves from these attacks. The key lies in proper configuration and implementing security best practices that are often overlooked in the rush to deploy new infrastructure.
For Nomad deployments, teams should implement access control lists and enable the security features outlined in HashiCorp’s Security Model documentation. This includes configuring proper authentication and authorization mechanisms to prevent unauthorized job submissions.
Consul users should activate the security features detailed in HashiCorp’s Secure Consul documentation, including disabling script checks and restricting the HTTP API to bind only to localhost where possible. These configurations prevent attackers from exploiting the health check functionality for remote code execution.
Gitea administrators must keep their instances up to date to prevent exploitation of known vulnerabilities, such as CVE-2020-14144. Additionally, organizations should avoid enabling git hooks or leaving installations unlocked unless necessary, as these features can provide additional attack vectors.
For Docker environments, proper API configuration is crucial. Organizations should ensure that Docker APIs are not exposed to the internet without appropriate authentication and implement container security best practices to prevent unauthorized container creation and execution.
The Broader Impact on DevOps Security
This campaign highlights a critical shift in the threat landscape that DevOps teams face. As these tools become more central to how organizations build and deploy software, they inevitably become more attractive targets for threat actors. The sophistication demonstrated by JINX-0132 suggests that other groups will likely adopt similar techniques, making DevOps security an increasingly critical concern.
The attack also underscores the importance of security-by-default configurations in DevOps tools. Many of the vulnerabilities exploited in this campaign stem from insecure default settings that prioritize ease of deployment over security. As the DevOps ecosystem continues to evolve, both tool developers and organizations need to prioritize security configurations that protect against these types of attacks without compromising usability.
“The JINX-0132 campaign exploiting DevOps tools is a critical wake-up call; the agility DevOps delivers cannot overshadow foundational security for the tools managing our software pipeline,” according to Mitch Ashley, VP and practice lead, software lifecycle engineering at The Futurum Group. “Attackers leveraging misconfigured orchestrators like Nomad and hiding in plain sight with legitimate mining tools signify a sophisticated threat evolution targeting the core of modern development.”
Looking Forward
The JINX-0132 campaign serves as a wake-up call for the DevOps community. As development workflows become increasingly automated and distributed, the security of the tools that enable these workflows becomes paramount. Organizations that fail to properly secure their DevOps infrastructure risk not only cryptocurrency mining attacks, but potentially more damaging intrusions that could compromise sensitive data or disrupt critical services.
The key to defense lies in treating DevOps security with the same rigor as traditional IT security. This involves implementing proper access controls, keeping tools up to date, adhering to security best practices, and continuously monitoring for signs of compromise. By taking these steps, organizations can continue to benefit from the efficiency and flexibility of modern DevOps tools while protecting themselves from emerging threats.
As threat actors continue to evolve their techniques, the DevOps community must evolve its defenses. The discovery of the JINX-0132 campaign provides valuable insights into these emerging threats and offers a roadmap for building more secure development environments. The question isn’t whether similar attacks will continue to appear, but whether organizations will be prepared to defend against them.