A hacker group has made over $3 million by breaking into Jenkins servers and installing malware that mines the Monero cryptocurrency.
Hackers are targeting
Jenkins, a continuous integration/deployment web application built in Java that allows dev teams to run automated tests and execute various operations based on test results, including deploying new code to production servers. Because of this, Jenkins servers are extremely popular with both freelance web developers, but also with large enterprises.
A cyber security research firm announced it uncovered the footprint of a large hacking operation targeting Jenkins servers left connected to the Internet.
Hackers using Jenkins RCE flaw
Attackers were leveraging
CVE-2017-1000353, a vulnerability in the Jenkins Java deserialization implementation that allows attackers to run malicious code remotely without needing to authenticate first. Hackers used this vulnerability to make Jenkins servers download and install a
Monero miner (minerxmr.exe).
The miner was being downloaded from an IP address located in
China and assigned to the Huaian government network. It is unclear if this is the attacker's server, or a compromised server used to host the miner on behalf of the hackers.
The attackers have been active for months. This has allowed them to mine and already
cash out over 10,800 Monero, which is over $3.4 million, at the time of writing.
Researchers say the group appears to have compromised mostly Jenkins instances running on Windows operating systems.
Over 25,000 Jenkins servers left exposed online
Attackers aren't the only ones who've noticed the large number of Jenkins servers available online. In mid-January, security researcher Mikail Tunç published
research highlighting that there were over 25,000 Jenkins servers left exposed to Internet connections at the time of his research.
Also on Friday, Researchers released new research on other hackers leveraging the
CVE-2017-10271 flaw to infect Oracle WebLogic servers with malware. This vulnerability has been under active exploitation
since early December 2017, and one group has already made
more than $226,000.
Besides Jenkins and
Oracle WebLogic servers, hackers are also targeting
Ruby on Rails, PHP, and IIS servers, also deploying Monero-mining malware.
Monero-mining malware is already this year's biggest
malware trend/problem, with numerous malware distribution campaigns spreading such payloads on any unsecured computer/server crooks can get their hands on.