Year-old vuln turns Jenkins servers into Monero mining slaves

The hip world of continuous integration meets the dark world of crypto-jacking


Here's a salutary reminder why it pays to patch promptly: a Jenkins bug patched last year became the vector for a multi-million-dollar cryptocurrency mining hijack.

A campaign security researchers dubbed “JenkinsMiner” exploited CVE-2017-1000353, a deserialisation bug first disclosed with fixes by the Jenkins team in April 2017.

According to Check Point researchers, that bug helped an attacker, believed to be from China, use Jenkins servers as mining rigs – after they'd already garnered US$3 million of Monero using the XMRig miner on exploited Windows machines.

On un-patched systems, just two commands sent to the Jenkins CLI trigger CVE-2017-1000353.

miner

Good news, everyone: Ransomware declining. Bad news: Miscreants are turning to crypto-mining on infected PCs

READ MORE

Next, they wrote, the attacker sends a request containing two objects, “Capability” and “Command”. It's the second of these that contains the Monero miner payload.

Once the Jenkins server is compromised, the attack launches a hidden PowerShell instance so the script can run in the background, and the attack sets a variable to a web-client object, with scrambled case to try and confuse security products.

That command fetches the miner's executable and the script starts the miner.

Check Point's estimated income came from a detail of how the attacker works: funds from their different operations are sent to a single Monero wallet.

Earlier this year, an old bug in Oracle's WebLogic server was also exploited to plant XMRig. That attack was discovered by Morpheus Labs' Renato Marinho and disclosed in a post at the SANS Institute. The SANS Dean of Research Johannes Ullrich noted that XMRig itself is considered a legitimate miner. ®

Broader topics


Other stories you might like

  • Deepfake attacks can easily trick live facial recognition systems online
    Plus: Next PyTorch release will support Apple GPUs so devs can train neural networks on their own laptops

    In brief Miscreants can easily steal someone else's identity by tricking live facial recognition software using deepfakes, according to a new report.

    Sensity AI, a startup focused on tackling identity fraud, carried out a series of pretend attacks. Engineers scanned the image of someone from an ID card, and mapped their likeness onto another person's face. Sensity then tested whether they could breach live facial recognition systems by tricking them into believing the pretend attacker is a real user.

    So-called "liveness tests" try to authenticate identities in real-time, relying on images or video streams from cameras like face recognition used to unlock mobile phones, for example. Nine out of ten vendors failed Sensity's live deepfake attacks.

    Continue reading
  • Lonestar plans to put datacenters in the Moon's lava tubes
    How? Founder tells The Register 'Robots… lots of robots'

    Imagine a future where racks of computer servers hum quietly in darkness below the surface of the Moon.

    Here is where some of the most important data is stored, to be left untouched for as long as can be. The idea sounds like something from science-fiction, but one startup that recently emerged from stealth is trying to turn it into a reality. Lonestar Data Holdings has a unique mission unlike any other cloud provider: to build datacenters on the Moon backing up the world's data.

    "It's inconceivable to me that we are keeping our most precious assets, our knowledge and our data, on Earth, where we're setting off bombs and burning things," Christopher Stott, founder and CEO of Lonestar, told The Register. "We need to put our assets in place off our planet, where we can keep it safe."

    Continue reading
  • Conti: Russian-backed rulers of Costa Rican hacktocracy?
    Also, Chinese IT admin jailed for deleting database, and the NSA promises no more backdoors

    In brief The notorious Russian-aligned Conti ransomware gang has upped the ante in its attack against Costa Rica, threatening to overthrow the government if it doesn't pay a $20 million ransom. 

    Costa Rican president Rodrigo Chaves said that the country is effectively at war with the gang, who in April infiltrated the government's computer systems, gaining a foothold in 27 agencies at various government levels. The US State Department has offered a $15 million reward leading to the capture of Conti's leaders, who it said have made more than $150 million from 1,000+ victims.

    Conti claimed this week that it has insiders in the Costa Rican government, the AP reported, warning that "We are determined to overthrow the government by means of a cyber attack, we have already shown you all the strength and power, you have introduced an emergency." 

    Continue reading

Biting the hand that feeds IT © 1998–2022