Year-old vuln turns Jenkins servers into Monero mining slaves

Here's a salutary reminder why it pays to patch promptly: a Jenkins bug patched last year became the vector for a multi-million-dollar cryptocurrency mining hijack.

A campaign security researchers dubbed “JenkinsMiner” exploited CVE-2017-1000353, a deserialisation bug first disclosed with fixes by the Jenkins team in April 2017.

According to Check Point researchers, that bug helped an attacker, believed to be from China, use Jenkins servers as mining rigs – after they'd already garnered US$3 million of Monero using the XMRig miner on exploited Windows machines.

On un-patched systems, just two commands sent to the Jenkins CLI trigger CVE-2017-1000353.

Next, they wrote, the attacker sends a request containing two objects, “Capability” and “Command”. It's the second of these that contains the Monero miner payload.

Once the Jenkins server is compromised, the attack launches a hidden PowerShell instance so the script can run in the background, and the attack sets a variable to a web-client object, with scrambled case to try and confuse security products.

That command fetches the miner's executable and the script starts the miner.

Check Point's estimated income came from a detail of how the attacker works: funds from their different operations are sent to a single Monero wallet.

Earlier this year, an old bug in Oracle's WebLogic server was also exploited to plant XMRig. That attack was discovered by Morpheus Labs' Renato Marinho and disclosed in a post at the SANS Institute. The SANS Dean of Research Johannes Ullrich noted that XMRig itself is considered a legitimate miner. ®