JINX-0132 targets exposed Nomad servers lacking ACL protections by submitting malicious jobs through the API, effectively gaining remote code execution. These jobs download and run the XMRig miner from public GitHub releases, bypassing traditional IOC-based detection. Gitea instances are compromised through a mix of outdated versions with known RCEs (e.g., CVE-2020-14144, unpatched 1.4.0 release), weak default settings, and insecure post-install configurations. In Docker environments, attackers exploit externally exposed Docker APIs (e.g., tcp://0.0.0.0:2375) to spin up containers running miners or escalate privileges by mounting host filesystems. Similarly, unprotected Consul instances are abused via the health check registration feature, which supports bash commands, enabling attackers to install and execute mining software remotely. The actor avoids traditional payload delivery infrastructure, making detection challenging and clustering of campaigns difficult.
Type
Campaign
Actors
JINX-0132
Pub. date
June 2, 2025
Initial access
Software misconfig
Impact
Resource hijacking
Observed techniques
Misconfigured Gitea AbuseMisconfigured Nomad abuse
Observed tools
XMRig
Targeted technologies
NomadGiteaHashicorp ConsulDocker
References
https://www.wiz.io/blog/jinx-0132-cryptojacking-campaign
Status
Finalized
Last edited
Jun 4, 2025 3:53 PM