News
Hackers Exploit Jenkins Script Console for Cryptocurrency Mining Attacks
Jul 09, 2024NewsroomCI/CD Security / Server Security
Cybersecurity researchers have discovered that it is possible for attackers to exploit misconfigured Jenkins Script Console instances to promote criminal activities such as cryptocurrency mining.
“Misconfigurations such as improperly set authentication mechanisms expose the ‘/script’ endpoint to attackers,” say Shubham Singh and Sunil Bharti of Trend Micro She said in a technical paper published last week. “This can lead to remote code execution (RCE) and misuse by malicious actors.”
Jenkins, a popular continuous integration and continuous delivery tool (CI/CD) comes with a Groovy script console that allows users to run arbitrary Groovy scripts within the Jenkins controller runtime.
The project maintainers explicitly point out in the official documentation that the web-based Groovy shell can be used to read files containing sensitive data (e.g., “/etc/passwd”), decrypt credentials configured in Jenkins, and even reconfigure security settings.
The console “provides no administrative control to prevent a user (or administrator) once they are able to run the Script Console from affecting all parts of the Jenkins infrastructure,” law the documentation. “Giving a normal Jenkins user access to the script console is essentially the same as granting them administrator rights within Jenkins.”
While access to the Script Console is typically limited to authenticated users with administrative permissions, improperly configured Jenkins instances may inadvertently make the “/script” (or “/scriptText”) endpoint accessible over the Internet, making it open to exploitation by attackers looking to execute malicious commands.
Trend Micro said it found instances of threat actors exploiting the misconfiguration of Jenkins’ Groovy plugin to execute a Base64-encoded string containing a malicious script designed to mine cryptocurrencies on the compromised server by distributing a miner payload hosted on berrystore[.]me and the persistence setting.
“The script ensures that it has enough system resources to mine effectively,” the researchers said. “To do this, the script checks for processes that are consuming more than 90% of the CPU resources, and then proceeds to kill those processes. It will also kill any interrupted processes.”
To protect against such exploitation attempts, it is recommended to ensure proper configuration, implement strong authentication and authorization, conduct regular audits, and prevent Jenkins servers from being publicly exposed to the Internet.
The news comes as cryptocurrency thefts resulting from cyberattacks and exploits soared in the first half of 2024, allowing threat actors to plunder $1.38 billion, up from $657 million year-over-year.
“The top five cyberattacks and exploits accounted for 70% of the total amount stolen so far this year,” says blockchain intelligence platform TRM Labs She said“Private key and seed phrase compromise will remain a major attack vector in 2024, alongside smart contract exploits and flash loan attacks.”
Did you find this article interesting? Follow us on Chirping AND LinkedIn to read more exclusive content we publish.
Fuente