Cybersecurity researchers have discovered that it is doable for attackers to weaponize improperly configured Jenkins Script Console cases to additional felony actions corresponding to cryptocurrency mining.
“Misconfigurations corresponding to improperly arrange authentication mechanisms expose the ‘/script’ endpoint to attackers,” Pattern Micro’s Shubham Singh and Sunil Bharti mentioned in a technical write-up printed final week. “This will result in distant code execution (RCE) and misuse by malicious actors.”
Jenkins, a well-liked steady integration and steady supply (CI/CD) platform, incorporates a Groovy script console that enables customers to run arbitrary Groovy scripts throughout the Jenkins controller runtime.
The challenge maintainers, within the official documentation, explicitly word that the web-based Groovy shell can be utilized to learn recordsdata containing delicate knowledge (e.g., “/and so forth/passwd”), decrypt credentials configured inside Jenkins, and even reconfigure safety settings.
The console “presents no administrative controls to cease a consumer (or admin) as soon as they’re able to execute the Script Console from affecting all elements of the Jenkins infrastructure,” reads the documentation. “Granting a standard Jenkins consumer Script Console Entry is actually the identical as giving them Administrator rights inside Jenkins.”
Whereas entry to Script Console is often restricted solely to authenticated customers with administrative permissions, misconfigured Jenkins cases might inadvertently make the “/script” (or “/scriptText”) endpoint accessible over the web, making it ripe for exploitation by attackers seeking to run harmful instructions.
Pattern Micro mentioned it discovered cases of menace actors exploiting the Jenkins Groovy plugin misconfiguration to execute a Base64-encoded string containing a malicious script that is designed to mine cryptocurrency on the compromised server by deploying a miner payload hosted on berrystore[.]me and organising persistence.
“The script ensures it has sufficient system sources to carry out the mining successfully,” the researchers mentioned. “To do that, the script checks for processes that devour greater than 90% of the CPU’s sources, then proceeds to kill these processes. Moreover, it would terminate all stopped processes.”
To safeguard in opposition to such exploitation makes an attempt, it is suggested to make sure correct configuration, implement strong authentication and authorization, conduct common audits, and prohibit Jenkins servers from being publicly uncovered on the web.
The event comes as cryptocurrency thefts arising from hacks and exploits have surged within the first half of 2024, permitting menace actors to plunder $1.38 billion, up from $657 million year-over-year.
“The highest 5 hacks and exploits accounted for 70% of the whole quantity stolen thus far this yr,” blockchain intelligence platform TRM Labs mentioned. “Personal key and seed phrase compromises stay a prime assault vector in 2024, alongside good contract exploits and flash mortgage assaults.”