Unauthorized Jenkins Script Console Usage by Hackers for Cryptocurrency Mining Incidents
A discovery by cybersecurity specialists revealed that cybercriminals have been exploiting insecurely configured Jenkins Script Console instances to engage in illicit activities like cryptocurrency mining.
“Security oversights such as inadequately set up authentication mechanisms expose the ‘/script’ endpoint to bad actors,” Shubham Singh and Sunil Bharti from Trend Micro explained in a recent technical report. “This situation can result in remote code execution (RCE) and misuse by malicious entities.”
Jenkins, a widely-used platform for continuous integration and delivery (CI/CD), includes a Groovy script console that enables users to execute arbitrary Groovy scripts within the Jenkins controller’s runtime environment.
The official documentation highlights that the web-based Groovy shell in Jenkins can be exploited to access files with sensitive data (e.g., “/etc/passwd”), decrypt stored credentials, and even modify security configurations.
The documentation warns that the console “lacks administrative controls to prevent a user (or administrator) once they gain access to the Script Console from making changes across all parts of the Jenkins infrastructure.” “Granting a regular Jenkins user Script Console Access is equivalent to providing them with Administrator privileges within Jenkins,” the documentation further elaborates.
Although only authenticated users with administrative rights typically have access to the Script Console, misconfigured Jenkins setups could inadvertently expose the “/script” (or “/scriptText”) endpoint to the internet, making it susceptible to exploitation by hackers intending to execute harmful commands.
Trend Micro highlighted instances where malicious actors took advantage of the misconfigurations in Jenkins Groovy plugin to run a Base64-encoded string with a malevolent script that facilitates cryptocurrency mining on the compromised server by deploying a miner payload from berrystore[.]me and establishing persistence.
“The script ensures it has sufficient system resources for effective mining,” mentioned the researchers. “To achieve this, the script identifies processes consuming over 90% of the CPU’s resources and terminates those processes. Moreover, it terminates all halted processes.”
To prevent such exploitation attempts, it is recommended to ensure proper configuration, establish strong authentication and authorization mechanisms, conduct routine audits, and avoid exposing Jenkins servers to the public internet.
These findings come at a time when cryptocurrency thefts resulting from breaches and security loopholes have spiked in the initial half of 2024, enabling threat actors to seize $1.38 billion, a substantial increase from $657 million in the previous year.
“The top five intrusions and exploits contributed to 70% of the total stolen amount this year,” stated TRM Labs, a blockchain intelligence platform. “Incidents involving compromises of private keys and seed phrases continue to be a major attack vector in 2024, alongside exploits targeting smart contracts and flash loans.”
About Author
