Cybersecurity researchers have discovered that it is doable for attackers to weaponize improperly configured Jenkins Script Console cases to additional legal actions corresponding to cryptocurrency mining.
“Misconfigurations corresponding to improperly arrange authentication mechanisms expose the ‘/script’ endpoint to attackers,” Pattern Micro’s Shubham Singh and Sunil Bharti mentioned in a technical write-up revealed final week. “This could result in distant code execution (RCE) and misuse by malicious actors.”
Jenkins, a preferred steady integration and steady supply (CI/CD) platform, contains a Groovy script console that permits customers to run arbitrary Groovy scripts inside the Jenkins controller runtime.
The undertaking maintainers, within the official documentation, explicitly notice that the web-based Groovy shell can be utilized to learn recordsdata containing delicate information (e.g., “/and so on/passwd”), decrypt credentials configured inside Jenkins, and even reconfigure security settings.
The console “provides no administrative controls to cease a consumer (or admin) as soon as they’re able to execute the Script Console from affecting all elements of the Jenkins infrastructure,” reads the documentation. “Granting a standard Jenkins consumer Script Console Entry is basically the identical as giving them Administrator rights inside Jenkins.”
Whereas entry to Script Console is usually restricted solely to authenticated customers with administrative permissions, misconfigured Jenkins cases may inadvertently make the “/script” (or “/scriptText”) endpoint accessible over the web, making it ripe for exploitation by attackers seeking to run harmful instructions.
Pattern Micro mentioned it discovered cases of menace actors exploiting the Jenkins Groovy plugin misconfiguration to execute a Base64-encoded string containing a malicious script that is designed to mine cryptocurrency on the compromised server by deploying a miner payload hosted on berrystore[.]me and organising persistence.
“The script ensures it has sufficient system assets to carry out the mining successfully,” the researchers mentioned. “To do that, the script checks for processes that devour greater than 90% of the CPU’s assets, then proceeds to kill these processes. Moreover, it is going to terminate all stopped processes.”
To safeguard in opposition to such exploitation makes an attempt, it is suggested to make sure correct configuration, implement strong authentication and authorization, conduct common audits, and prohibit Jenkins servers from being publicly uncovered on the web.
The event comes as cryptocurrency thefts arising from hacks and exploits have surged within the first half of 2024, permitting menace actors to plunder $1.38 billion, up from $657 million year-over-year.
“The highest 5 hacks and exploits accounted for 70% of the overall quantity stolen to date this yr,” blockchain intelligence platform TRM Labs mentioned. “Non-public key and seed phrase compromises stay a high assault vector in 2024, alongside sensible contract exploits and flash mortgage assaults.”
