- WIZ security researchers find four main tops tools that are abusing
- Erroneous configurations allow threat actors to deploy cryptocurrency miners
- A quarter of all cases are at risk, so users must be on guard
Cybercriminals have been abusing erroneous configurations in popular public Devops tools to display cryptocurrency miners, generating valuable tokens, while huge electricity and computer bills increase for their victims.
Wiz’s security researchers threaten Research saw the campaign and attributed it to a threat actor named Jinx-0132.
Apparently, the Crooks are aimed at many Devopops tools, but four stood out: Nomad, Consul, Docker Engine Api and Gitea.
Mitigation measures
The first two are built by hashicorp: Nomad is a workload orchestrator that program and manages the implementation of containers, virtual machines and independent applications in groups, while the CONSUL is a solution of service networks that provides discovery of services, health check, configuration and segmentation for distributed applications.
Docker Engine API is an API Restful that allows developers and automation tools to interact with Docker Daemon to administer containers, images, networks and volumes, and Gitea is a self -fledged git service that provides source code accommodation, problem monitoring, code review and collaborative development tools through a web interface.
“The abuse of erroneous configuration by threat actors can often pass under the radar of the defenders, especially if the affected application is not well known as an attack vector,” the researchers explained.
“A key characteristic of the Jinx-0132 methodology is the apparently deliberate avoidance of any traditional unique identifier that can be used by defenders as compromise indicators. Instead of using servers controlled by the attackers for the delivery of the payload, they discharge directly from the public repositories of Github.”
The problem also seems to be quite widespread, since up to a quarter of all cloud users could be exposed. In the report, the researchers said that 25% of all cloud environments are executing at least one of the four technologies listed above. In addition, at least 20% are running hashicorp consul.
“Of those environments that use these Devops tools, five percent expose them directly to the Internet, and among those exposed implementations, 30 percent is poorly configured,” the team concluded.
To mitigate risks, companies must implement strict access controls, perform regular security audits and perform frequent vulnerability evaluations. In addition, they should not stop in the application of patches, and must monitor their systems for abnormal use of resources.
Finally, they must ensure devotee environments against erroneous configurations, restrict the execution of unauthorized commands and strengthen their authentication measures.
Through The registration
