Malicious Hackers Using Jenkins Script Console for Illicit Cryptocurrency Mining Offensives
Cybersecurity analysts have discovered that cyber criminals can misuse erroneously configured Jenkins Script Console instances to facilitate unlawful actions such as engaging in cryptocurrency mining.
“Weak configurations including poorly set up authentication methods expose the ‘/script’ endpoint to malevolent entities,” Shubham Singh and Sunil Bharti from Trend Micro stated in a technical article released last week. “This vulnerability can lead to remote code execution (RCE) and abuse by malicious agents.”
Jenkins, a well-liked continuous integration and continuous delivery (CI/CD) platform, includes a Groovy script console that permits users to execute arbitrary Groovy scripts within the Jenkins controller runtime.
The project maintainers, as mentioned in the official documentation, clearly state that the web-based Groovy shell could be utilized to access files holding sensitive data (e.g., “/etc/passwd”), decrypt credentials set up within Jenkins, and reconfigure security parameters.
The console “does not provide administrative checks to prevent a user (or admin) from making changes to all parts of the Jenkins infrastructure once they successfully run the Script Console,” the documentation details. “Granting a regular Jenkins user Script Console Access is essentially equivalent to granting them Administrator privileges in Jenkins.”
Although access to Script Console is typically restricted only to authenticated users with administrative rights, incorrectly set up Jenkins instances might inadvertently expose the “/script” (or “/scriptText”) endpoint to the internet, creating an opportunity for attackers to execute harmful commands.
Trend Micro highlighted instances where threat actors took advantage of the Jenkins Groovy plugin’s misconfiguration to execute a Base64-encoded sequence containing a malicious script aimed at mining cryptocurrency on the compromised server by introducing a miner payload hosted on berrystore[.]me and setting up persistence.
“The script ensures it harnesses adequate system resources for efficient mining,” the analysts declared. “To achieve this, the script scans for processes consuming over 90% of the CPU’s resources and proceeds to terminate them. Furthermore, it terminates all halted processes.”
To protect against such exploitation attempts, it is recommended to ensure proper setup, enforce strong authentication and authorization mechanisms, conduct routine inspections, and avoid exposing Jenkins servers to the public internet.
These findings come at a time when cases of cryptocurrency theft resulting from cyber attacks and vulnerabilities have surged in the initial half of 2024, enabling malicious actors to steal $1.38 billion, a significant increase from $657 million in the previous year.
“The majority of the thefts in the current year have been attributed to the top five hacks and exploits,” TRM Labs, a blockchain intelligence platform, stressed. “Compromised private keys and seed phrases continue to be a key method of attack in 2024, alongside exploits on smart contracts and flash loan attacks.”
About Author
