Hackers made $3.4 million by installing miners on Jenkins servers

Share this…

Hacker Group Makes $3 Million in a few months by Installing Monero Miners on Jenkins Servers.

According to an information security researcher, a criminal group has made $3.4 million by compromising Jenkins servers and installing a Monero cryptocurrency miner called JenkinsMiner.

“The person responsible, has been running the XMRig miner on many versions of Windows, and has already secured him over $3 million worth of Monero crypto-currency. The criminal has now upped his game by targeting the powerful Jenkins CI server, giving him the capacity to generate even more coins”, states a cyber security firm.

Jenkins logo

Jenkins is the most popular open source automation server; it is maintained by CloudBees and the Jenkins community. The automation server supports developers build, test and deploy their applications, it has more than 133,000 active installations worldwide with more than 1 million users.

The person behind the massive mining operation was leveraging the CVE-2017-1000353 RCE vulnerability in the Jenkins Java deserialization implementation.

The vulnerability is due to lack of validation of the serialized object, its exploitation allowed the attackers to make Jenkins servers download and install the JenkinsMiner, according to a cyber security expert.

“The operation uses a hybridization of a Remote Access Trojan (RAT) and XMRig miner over the past months to target victims around the globe. The miner is capable of running on many platforms and Windows versions. With every campaign, the malware has gone through several updates and the mining pool used to transfer the profits is also changed.” continues the statement.

A good number of the downloads for the JenkinsMiner are from IP address located in China and assigned to the Huai´an government information center, of course, we are not able to determine if the server was compromised or explicitly used by state-sponsored hackers.

In January, information security expert Mikail Tunç analyzed Jenkins servers exposed online discovering that many instances leak sensitive information.

Mikail Tunç said that Jenkins usually requires credentials to the code repository and access to an environment in which to deploy the code, usually GitHub, AWS, and Azure. Failure to configure the application correctly can expose data.

The information security researcher discovered that many misconfigured systems provided guest or administrator permissions by default, while others allowed guest or admin access to anyone who registered an account.