DevOps Infrastructure Under Siege: Multi-Platform Cryptojacking Campaign Analysis

Security researchers have identified a sophisticated cryptocurrency mining operation targeting vulnerable DevOps platforms and development infrastructure. The campaign demonstrates how cybercriminals are increasingly focusing on high-value computing resources within enterprise environments to maximize their illicit mining profits.

Primary Campaign: JINX-0132

Cloud security specialists at Wiz have documented an extensive cryptojacking operation designated JINX-0132, which systematically exploits weaknesses in popular DevOps tools and platforms. The campaign targets multiple services including:

• Docker containerization platforms
• Gitea Git repository hosting services
• HashiCorp Consul service mesh solutions
• HashiCorp Nomad cluster management systems

Attack Methodology

The threat actors behind JINX-0132 employ a sophisticated approach that distinguishes their operation from typical cryptojacking campaigns:

Tool Sourcing Strategy: Rather than maintaining their own malicious infrastructure, the attackers download required tools directly from legitimate GitHub repositories. This technique serves as an attribution evasion method, making it significantly more difficult for security teams to trace the campaign back to its operators.

High-Value Target Selection: The campaign has successfully compromised Nomad cluster management instances controlling hundreds of client systems. The combined computational resources of these compromised systems represent tens of thousands of dollars in monthly computing costs, highlighting the substantial scale and financial impact of the operation.

Exploitation Techniques by Platform

Docker API Abuse: The campaign leverages misconfigured Docker API endpoints to execute malicious code through container manipulation. Attackers create containers that mount host file systems or deploy cryptocurrency mining images using standard Docker API calls such as "/containers/create" and "/containers/{id}/start."

Gitea Repository Platform: Exploitation occurs through either known vulnerabilities (specifically CVE-2020-14144) or security misconfigurations. Publicly accessible Gitea instances become vulnerable to remote code execution when attackers gain access to user accounts with git hook creation permissions, target version 1.4.0 installations, or discover unlocked installation pages (INSTALL_LOCK=false configuration).

HashiCorp Consul Service Mesh: Improperly configured Consul installations allow unauthorized users to register services and define health checks containing malicious bash commands. The JINX-0132 operators abuse this functionality by creating services with randomized names that download and execute XMRig cryptocurrency mining software.

HashiCorp Nomad Orchestration: The campaign exploits Nomad's non-secure default configuration to create malicious job definitions on compromised systems. These jobs download XMRig mining payloads from GitHub and execute them across the cluster infrastructure.

Global Exposure Statistics

According to Shodan intelligence data, the worldwide exposure of vulnerable services presents a significant attack surface:

• Over 5,300 exposed Consul servers globally
• More than 400 exposed Nomad servers worldwide

Geographic concentration of these exposures is highest in China, the United States, Germany, Singapore, Finland, the Netherlands, and the United Kingdom.

Secondary Campaign: Open WebUI Exploitation

Parallel research from Sysdig has revealed a separate but related campaign targeting AI development infrastructure through Open WebUI system misconfigurations.

Attack Vector

The campaign exploits internet-accessible Open WebUI installations that lack proper access controls. Attackers leverage the platform's plugin system (Open WebUI Tools) to upload and execute malicious Python scripts disguised as legitimate LLM enhancement tools.

Multi-Platform Payload Delivery

Linux Systems: The malicious Python code downloads and executes cryptocurrency miners including T-Rex and XMRig, establishes persistence through systemd services, and utilizes Discord webhooks for command and control communications. The malware incorporates specialized libraries (processhider and argvhider) to conceal mining processes from system administrators.

Windows Systems: The Windows attack path includes similar cryptocurrency mining components but adds sophisticated information theft capabilities. The campaign deploys Java Development Kit components to execute JAR files downloaded from command and control infrastructure (185.208.159[.]155). The final payload includes credential harvesting modules targeting Discord accounts and cryptocurrency wallet browser extensions.

Infrastructure Scope

Sysdig's research indicates more than 17,000 Open WebUI instances are currently accessible via the internet, though the exact number of vulnerable or misconfigured installations remains undetermined.

Security Implications

These campaigns highlight critical security challenges in modern DevOps and AI development environments:

Default Configuration Vulnerabilities: Many enterprise-grade tools ship with configurations that prioritize ease of deployment over security, creating opportunities for exploitation when systems are exposed to the internet.

Attribution Evasion: The use of legitimate platforms like GitHub for tool distribution represents an evolution in attacker tactics, making investigation and response more challenging for security teams.

High-Value Target Selection: The focus on computational resources rather than traditional data theft demonstrates how cryptocurrency mining has become a preferred monetization method for cybercriminals targeting enterprise infrastructure.

Cross-Platform Sophistication: The ability to target both Linux and Windows environments with platform-specific payloads shows increasing technical sophistication among cryptojacking operators.

Mitigation Recommendations

Organizations should implement comprehensive security measures including proper configuration management, network segmentation, regular security assessments, and monitoring for unauthorized computational activity to protect against these evolving threats.