Hackers use Jenkins script console for cryptocurrency mining attacks

09 July 2024Press releaseCI/CD security/server security

Cybersecurity researchers have discovered that attackers can weaponize misconfigured Jenkins Script Console instances to conduct criminal activities such as cryptocurrency mining.

“Misconfigurations such as incorrectly set up authentication mechanisms expose the ‘/script’ endpoint to attackers,” said Shubham Singh and Sunil Bharti of Trend Micro in a technical report published last week. “This can lead to remote code execution (RCE) and abuse by malicious actors.”

Jenkins, a popular continuous integration and continuous delivery (CI/CD) platform, has a Groovy scripting console that allows users to run arbitrary Groovy scripts within the Jenkins controller runtime.

The project maintainers explicitly point out in the official documentation that the web-based Groovy shell can be used to read files containing sensitive data (e.g. “/etc/passwd”), decrypt credentials configured in Jenkins, and even reconfigure security settings.

The console “does not provide any administrative controls to prevent a user (or administrator) from affecting all parts of the Jenkins infrastructure once they can run the script console,” the documentation states. “Granting a regular Jenkins user access to the script console is essentially the same as granting them administrative privileges within Jenkins.”

While access to the script console is normally restricted to authenticated users with administrative privileges, misconfigured Jenkins instances can inadvertently expose the /script (or /scriptText) endpoint over the Internet, making it vulnerable to attackers attempting to execute dangerous commands.

Trend Micro said it found cases where threat actors exploited the misconfiguration of the Jenkins Groovy plugin to execute a Base64-encoded string containing a malicious script designed to mine cryptocurrency on the compromised server by deploying a miner payload hosted on Berrystore(.)me and establishing persistence.

“The script ensures that it has enough system resources to perform mining effectively,” the researchers said. “To do this, the script looks for processes that consume more than 90% of CPU resources and then terminates those processes. In addition, it terminates all stopped processes.”

To protect against such abuse attempts, it is recommended to ensure proper configuration, implement robust authentication and authorization, perform regular audits, and prevent public accessibility of Jenkins servers on the Internet.

The development comes as cryptocurrency thefts through hacks and exploits skyrocketed in the first half of 2024, allowing threat actors to loot $1.38 billion, up from $657 million a year earlier.

“The top five hacks and exploits accounted for 70% of all theft this year,” said blockchain intelligence platform TRM Labs. “Private key and seed phrase compromises will remain a top attack vector in 2024, alongside smart contract exploits and flash loan attacks.”