Last week we were ripping headlines from The Hacker News:
Cryptojacking Campaign Exploits DevOps APIs Using Off-the-Shelf Tools from GitHub
Let’s look at an excerpt from the story:
Cybersecurity researchers have discovered a new cryptojacking campaign that’s targeting publicly accessible DevOps web servers such as those associated with Docker, Gitea, and HashiCorp Consul and Nomad to illicitly mine cryptocurrencies.
Cloud security firm Wiz, which is tracking the activity under the name JINX-0132, said the attackers are exploiting a wide range of known misconfigurations and vulnerabilities to deliver the miner payload.
I had to go look up Nomad, on first glance it looks like a job orchestrator like Apache Zookeeper. According to the article, this is the first time that a misconfigured Nomad installation has been exploited for cryptojacking.
Interestingly this attack uses “off the shelf” tools from Github. The article estimates that the cryptojackers had access to compute power worth tens of thousands of dollars per month.
The article notes:
It’s worth mentioning that abuse of Docker API is a well-known launchpad for such attacks. Just last week, Kaspersky revealed that threat actors are targeting misconfigured Docker API instances to enlist them to a cryptocurrency mining botnet.
So Docker is rearing it’s head in this story at the end. Read through the rest of the article for another vulnerability involving OpenWebUI.
Next story…
Qualcomm Fixes 3 Zero-Days Used in Targeted Android Attacks via Adreno GPU
On this article, let’s unpack it inside out. Buried in the article is this nugget:
Last December, Amnesty International revealed that another security flaw in Qualcomm (CVE-2024-43047) had been exploited by the Serbian Security Information Agency (BIA) and the Serbian police to unlock seized Android devices belonging to activists, journalists, and protestors using Cellebrite’s data extraction software to gain elevated access and deploy an Android spyware called NoviSpy.
Are the cops and the hackers talking to each other? Or did the suspects in the Serbian case simply not update their phone? If you find this to be interesting news, I’m no expert but I would imagine even small countries like Serbia have all kinds of tricks up their sleeves to invade peoples privacy. I’m sure someone could show me a string of articles about cases that have been foiled due to the capability.
The real question is, how many innocent victims and / or political opponents get caught up with these same tools that we are supposed to believe are only used for legitimate purposes? If you’ve never looked into governments spying on journalist, it’s pretty eye opening to see whose phone has been infected by the Pegasus malware.
Every semester I do a writeup about the author of Pegasus, the NSO Group, who are seemingly now defunct if I recall correctly. There are now many spinoffs / competitors who are responsible for tools similar to Pegasus and other government-sanctioned spyware / malware. Maybe I’ll do an “NSO Group historical review” for this site next week, we’ll see. For now you could review The Citizen Lab’s site for Pegasus headlines, you’ll see regardless of the status of NSO Group (I’ll find out), Pegasus is still making the headlines roll in.
Someone correct me if I’m getting this wrong here. The main headline above is Google Android’s Security people told Qualcomm about problems with their chips. They use this phrase, “responsibly disclosed”:
The flaws in question, which were responsibly disclosed to the company by the Google Android Security team…
That sounds like a keyword for Google. I didn’t realize “responsible disclosure” was the term for keeping a known defect secret from the public. Meanwhile the discoverers and the authors of the defect (the company/corporation) are colluding to keep the knowledge from the public. For who knows how long? All the while, the author of defective code is allowed to avoid disclosure of a known security vulnerability that threatens their users / customers security.
This process actually has it’s own Wikipedia page under the slightly longer name of coordinated vulnerability disclosure. Responsible disclosure means, according to Wikipedia, can take as long as 90 or even 120 days!
This must be the equivalent of tax season or Christmas season for hackers, this three to four months of being able to take advantage of known vulnerabilities. The hackers know, someone knows about these flaws.
Back to the story, here’s a quote:
“There are indications from Google Threat Analysis Group that CVE-2025-21479, CVE-2025-21480, CVE-2025-27038 may be under limited, targeted exploitation,” Qualcomm said in an advisory.
So they are admitting that hackers are exploiting the vulnerability during the non-disclosure period.
At the end of the day, I don’t know, perhaps they way they do things is for the best. Perhaps if bug/vulnerability discoverers trumpeted their finds to the world immediately, the world would be a worse place. That’s the problem with the real world, it’s not an easily replicable lab. We can’t easily run both scenarios, except with computer models of limited use.
Why Keep Things Up to Date?
I have one client whose WordPress site I manage, I choose to update plugins manually because it only takes one bad single plugin update to potentially break your whole site. A proper approach to WordPress, for a typical WordPress individual site, is to make a full backup just before you do any Wordress updates or plugin/theme updates. This way if you get the dreaded white screen of WordPress death, or even a PHP error, you will know which plugin update caused the site to break. If possible you can roll back to your previous plugin version, if a specific plugin breaks things.
Worst case, you can roll back to your backup. Hopefully you’ll actually be able to locate the offending plugin. The problem is, it’s a crapshoot which plugin is going to break things. Normally, nothing breaks and the result is simply that feeling of following a best process.
Recently my client questioned why we need to keep things up to date if she’s not making changes to the site. This is a fair question. It reveals that the average blogger has no idea about the software development lifecycle and the attendant bug creation cycle that leads to vulnerabilities hackers will exploit. They don’t understand that leaving old software plugins in place is like putting an invitation on the Internet to hackers to exploit your site.
Image credit “Enigma Crypto Machine” by Latente 囧 www.latente.it is licensed under CC BY-SA 2.0.