Turning Jenkins Into a Cryptomining Machine From an Attacker's Perspective
July 5, 2024, 4:21 p.m.
Tags
External References
Description
This report analyzes how threat actors can exploit misconfigured Jenkins servers to execute malicious Groovy scripts, leading to activities like deploying cryptocurrency miners. Misconfigurations exposing the /script endpoint allow remote code execution, enabling attackers to run scripts that download and execute miner binaries while maintaining persistence through cron jobs and systemd utilities.
Date
| Published | Created | Modified |
|---|---|---|
| July 5, 2024, 3:26 p.m. | July 5, 2024, 3:26 p.m. | July 5, 2024, 4:21 p.m. |
Indicators
57fedfb431a717031f454d4fb2809d1f6d432a9edd900b07f0b9f9aca7fb3597
119cdc48db534c6093a24e78120c433480c5fb3f4a1a79270a78d9bf049fbe1c
07ca2a2e0d6ccfcef2cb010fe80a831c963755cc6179aaa95fe6e04d7d076c89
Attack Patterns
T1053.003
T1053.006
T1071.001
T1222.002
T1057
T1105
T1496
T1083
T1140
T1190