Users once again urged to update to version 2.154
Attackers are searching for unpatched Jenkins servers to conduct cryptomining campaigns through the open source automation tool, a security researcher has found.
The critical vulnerability, first disclosed in December 2018 as CVE-2018-1000861, affects users running Jenkins versions 2.153 or earlier on Apache.
An advisory issued last year warned that attackers could perform certain unauthorized actions on thousands of Jenkins servers due its Stapler web framework used for HTTP request handling.
The impact of the vulnerability at the time when a fix was issued was expected to be limited despite the large attack surface and potential for remote code execution (RCE).
Now, security researcher Renato Marinho has detailed an instance of the vulnerability being exploited in the wild to mine cryptocurrency.
Writing in a blog post, Marinho explains how attackers are using a Monero cryptominer dropper to expand undetected throughout the infected Jenkins system.
“The dropper named ‘Kerberods’ caught my attention due to the way it is packed and the way it acts if it has ‘root’ privileges on the machine,” Marinho said.
“After analyzing the binary, I could see that the packer used was a custom version of UPX.”
UPX is an open source software that can be easily modified to make unpacking files difficult, Marinho explained.
“Fortunately, in this case, the UPX customizations involved just the modification of the magic constant UPX_MAGIC_LE32 from ‘UPX’ to some other three letters.
“Thus, reverting it to UPX in different parts of the binary, it was possible to unpack the binary with the regular version of UPX.”
Kerberods obfuscates itself if it achieves root privileges on the machine.
“If it is the case, it drops, compiles and loads a library into the operating system that hooks different functions of Glibc to modify its behaviour,” Marinho said.
“In other words, it acts like a rootkit.”
Marinho, who is the chief research officer at Morphus Labs and handler at SANS iSC, had no estimation of how many servers were still exposed to the vulnerability, but added how it was possible that it was being used in more targeted attacks.
He told The Daily Swig that users should check to see if their Jenkins server has been compromised.
“Especially for cases that Jenkins is running with root privileges it may be a little bit trickier to confirm the infection due to the malware’s rootkit capabilities,” he said.
It is not known how much cryptocurrency is being mined in this way.
In February the security firm Check Point discovered that hackers had accumulated over $3 million in Monero through a separate vulnerability in the automation technology..
“As the campaign use a private mining pool, possible provided by the attack group, I could not see wallet addresses or the amount they have taken,” Marino said.