- Security scientists WIZ finds four large devops tools that are abused
- The misunderstandings allow threat actors to implement Cryptocurrency miners
- A quarter of all cases are at risk so users must be on their guard
Cyber criminals have been discovered abuse of misunderstandings in popular public devops tools to insert cryptocurrency ministers -which generates valuable tokens while rocking enormous electricity and calculation bills to their victims.
Wiz threat research security researchers discovered the campaign and attributed it to a threat actor named Jinx-0132.
Apparently, Crooks is targeted at many Devops tools, but four stood out: Nomad, Consul, Docker Engine API and Gitea.
Mitigation measures
The first two are built by Hashicorp: Nomad is a workload orchestrator that plans and manages the implementation of containers, virtual machines and standalone applications across clusters, while Consul is a service networking solution that provides service discovery, health control, configuration and segmentation for distributed applications.
Docker Engine API is a residual API that allows developers and automation tools to interact with the Docker Demon to manage containers, images, networks and volumes, and Gitea is a self-hosted git service that provides source code hosting, tracking, code review and collaboration development tools.
“Misunderstanding of misunderstanding of threat actors can often go under Defender’s radar, especially if the affected use is not known as an attack vector,” the researchers explained.
“A central characteristic of Jinx-0132’s method is the seemingly conscious avoidance of any unique, traditional identifiers that could be used by defenders as indicators of compromise. Instead of using attackers-controlled servers for the delivery of payload, they download tools directly from public GitHub reports.”
The problem seems to be quite widespread as up to a quarter of all cloud users could be exposed. In the report, the researchers said that 25% of all cloud environments run at least one of the four technologies listed above. In addition, at least 20% Hashicorp consul runs.
“Of the environments using these DEVOPS tools, five percent expose them directly to the Internet, and among the exposed implementations are 30 percent incorrectly configured,” the team concluded.
To mitigate the risk, companies should implement strict access control, perform regular security audits and carry out frequent vulnerability assessments. In addition, they should not stop using patches and should monitor their systems for abnormal resource consumption.
Finally, they should secure DEVOPS environments against incorrect configuration, limit unauthorized command performance and strengthen their approval measures.
Via Registered
