Turning Jenkins Into a Cryptomining Machine From an Attacker's Perspective

July 5, 2024, 4:21 p.m.

Description

This report analyzes how threat actors can exploit misconfigured Jenkins servers to execute malicious Groovy scripts, leading to activities like deploying cryptocurrency miners. Misconfigurations exposing the /script endpoint allow remote code execution, enabling attackers to run scripts that download and execute miner binaries while maintaining persistence through cron jobs and systemd utilities.

External References

https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/g/turning-jenkins-into-a-cryptomining-machine-from-an-attackers-perspective/ioc-turning-jenkins-into-a-cryptomining-machine-from-an-attacker-perspective.txt
https://www.trendmicro.com/en_us/research/24/g/turning-jenkins-into-a-cryptomining-machine-from-an-attackers-pe.html
https://otx.alienvault.com/pulse/6688109d6e2eec4cc151dc96
Tags
linux
cryptominer
2024-07-05
groovy language
jenkins script console

Date

  • Created: July 5, 2024, 3:26 p.m.
  • Published: July 5, 2024, 3:26 p.m.
  • Modified: July 5, 2024, 4:21 p.m.

Indicators

  • 57fedfb431a717031f454d4fb2809d1f6d432a9edd900b07f0b9f9aca7fb3597
  • 119cdc48db534c6093a24e78120c433480c5fb3f4a1a79270a78d9bf049fbe1c
  • 07ca2a2e0d6ccfcef2cb010fe80a831c963755cc6179aaa95fe6e04d7d076c89
  • berrystore.me
Download all indicators here!

Attack Patterns