Lockdown of DevOps exposure: Wiz urges organizations to lock down exposed DevOps infrastructure by following established best practices. For Nomad, enforcing access control lists (ACLs) would have blocked the unauthenticated job executions used in this campaign. Public Gitea instances should be fully patched, with git hooks disabled and the installation locked unless absolutely needed.In Consul, disabling script checks and binding the HTTP API to localhost can prevent unauthorized service access. As for Docker, the API is meant to stay internal, exposing it to the internet, especially via 0.0.0.0, opens a direct path for exploitation. Minimizing external exposure, enabling authentication, and applying least-privilege access across all tools are critical steps to stop similar attacks in their tracks. Why are configs now the target: Jinx-0132 signals a shift in cloud threats”, from exploiting software flaws to targeting operational blind spots. Instead of custom malware, attackers are now leveraging misconfigurations and legitimate open-source tools, slipping past traditional IOC-based defenses.The campaign underscores two key trends: threat actors are moving beyond core cloud infrastructure to exploit DevOps pipelines, and they’re leaning on “living-off-open-source” tactics to stay hidden. In complex cloud-native setups, even small configuration lapses can have an outsized impact, making continuous auditing just as critical as real-time monitoring.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4000714/the-high-cost-of-misconfigured-devops-global-cryptojacking-hits-enterprises.html
