JINX-0132: Cryptojackers Exploit Misconfigured DevOps Environments

Wiz Threat Research has uncovered a stealthy cryptojacking operation exploiting misconfigured DevOps environments. Dubbed “JINX-0132”, the campaign abuses public-facing services—including HashiCorp Nomad and Consul, Docker APIs, and Gitea—to deploy Monero-mining payloads across enterprise-grade infrastructure.

This campaign represents the first publicly documented abuse of misconfigured Nomad deployments for real-world exploitation. According to Wiz researchers, “a fundamental Nomad feature… effectively means that unrestricted access to the server API can be tantamount to remote code execution (RCE) capabilities on the server itself and all connected nodes.”

Rather than relying on sophisticated malware or custom-built payloads, JINX-0132 exemplifies the living-off-the-land approach—”they download tools directly from public GitHub repositories” and “rely on standard release versions of XMRig rather than custom malware.” This methodology makes attribution difficult and weakens traditional defenses dependent on Indicators of Compromise (IOCs).

JINX-0132 exploits common misconfigurations in widely used infrastructure components:

• Nomad: Wiz found attackers exploiting the default open configuration of Nomad’s job scheduling API to execute malicious mining tasks. Using seemingly random job names but a consistent task group (“NIGNOG”), attackers remotely deployed XMRig miners via shell commands executed within Nomad jobs.
• Consul: Consul’s default behavior enables service registration with embedded shell-based health checks. “Unless ACLs have been configured or security features… enabled, any user with remote access… can abuse this functionality for remote code execution,” the report warns. JINX-0132 injected health checks that ran XMRig payloads, leveraging this default configuration for cryptomining.
• Gitea: Older Gitea versions and misconfigured newer instances were another foothold. If DISABLE_GIT_HOOKS=false, attackers could create post-receive git hooks for RCE. Moreover, “the short-lived 1.4.0 release is affected by an unauthenticated RCE” that enabled attackers to forge admin sessions and execute code.
• Docker API: The campaign also leveraged exposed Docker APIs bound to 0.0.0.0. As the report explains, “a single unauthenticated API call can spin up malicious containers or mount the host filesystem,” giving attackers root-like access to execute XMRig miners or pivot to adjacent cloud resources.

Some of the compromised servers had “compute power… that would cost tens of thousands of dollars per month,” highlighting how even large organizations are vulnerable when DevOps security hygiene is lacking.

Wiz’s internal telemetry reveals that:

• 25% of cloud environments run at least one of the targeted tools
• 5% expose these services to the internet
• 30% of those exposed deployments are misconfigured

Thousands of vulnerable Nomad and Consul instances are searchable via Shodan—with many hosted on AWS, Azure, and GCP.

Wiz emphasizes that many of these tools are not secure-by-default. Defensive recommendations include:

• Enabling ACLs and job security in Nomad
• Restricting health check scripts and API exposure in Consul
• Disabling git hooks in Gitea and locking down installations
• Never exposing Docker APIs to public networks

As Wiz puts it, “misconfiguration abuse by threat actors can often go under defenders’ radar, especially if the affected application isn’t well known as an attack vector.”

Related Posts:

• Evolving Cryptojacking Campaign Targets Misconfigured Kubernetes Clusters
• New Phishing Campaign Targets AWS Accounts: Security Experts Warn