- Wiz safety researchers find four main devops abused tools
- Configuration errors allow threat actors to deploy cryptocurrency minors
- A quarter of all the instances are in danger, so users must be on their guard
Cybercriminals have been identified by abusing configuration errors in popular tools of public devops to deploy cryptocurrency minors – generating precious tokens, while reducing huge electricity and computer invoices for their victims.
Wiz Threat Research security researchers spotted the campaign and attributed it to a threat actor appointed Jinx-0132.
Apparently, the crooks target many DevOps tools, but four stood out: Nomad, Consul, Docker Engine Api and Gitea.
Mitigation
The first two are built by Hashicorp: Nomad is a workload orchestrator that plans and manages the deployment of containers, virtual machines and autonomous applications between clusters, while Consul is a service networking solution that provides a service discovery, health check, configuration and segmentation for distributed applications.
The Docker Engine API is a Restful API that allows the developers and automation tools to interact with the Docker demon to manage containers, images, networks and volumes, and Gitea is a self-hosted git service that provides source code accommodation, problems monitoring, code examination and collaborative development tools via a web interface.
“The abuses of poor configuration by the actors of the threat can often go under the radar of the defenders, especially if the affected application is not well known as a vector of attack,” explained the researchers.
“A key characteristic of the methodology of Jinx-0132 is the apparently deliberate avoidance of any traditional unique identifier which could be used by defenders as compromise indicators. Instead of using servers controlled by attacker for download delivery, they download tools directly from the GitHub public Github standards. ”
The problem also seems to be very widespread, because up to a quarter of all cloud users could be exposed. In the report, the researchers said that 25% of all cloud environments operate at least one of the four technologies listed above. In addition, at least 20% run Hashicorp consul.
“Among these environments using these DevOps tools, five percent expose them directly to the Internet, and among these exposed deployments, 30% are poorly configured,” concluded the team.
To mitigate risks, companies must implement strict access controls, carry out regular safety audits and carry out frequent vulnerability assessments. In addition, they should not stall on the application of fixes and should monitor their systems for abnormal use of resources.
Finally, they should secure DevOps environments against configuration errors, restrict the execution of the unauthorized order and strengthen their authentication measures.
Via The register
