Cybersecurity researchers have discovered that it is attainable for attackers to weaponize improperly configured Jenkins Script Console cases to additional legal actions comparable to cryptocurrency mining.
“Misconfigurations comparable to improperly arrange authentication mechanisms expose the ‘/script’ endpoint to attackers,” Development Micro’s Shubham Singh and Sunil Bharti said in a technical write-up revealed final week. “This could result in distant code execution (RCE) and misuse by malicious actors.”
Jenkins, a preferred steady integration and steady supply (CI/CD) platform, contains a Groovy script console that enables customers to run arbitrary Groovy scripts throughout the Jenkins controller runtime.
The mission maintainers, within the official documentation, explicitly notice that the web-based Groovy shell can be utilized to learn recordsdata containing delicate knowledge (e.g., “/and so forth/passwd”), decrypt credentials configured inside Jenkins, and even reconfigure safety settings.
The console “provides no administrative controls to cease a person (or admin) as soon as they’re able to execute the Script Console from affecting all components of the Jenkins infrastructure,” reads the documentation. “Granting a traditional Jenkins person Script Console Entry is basically the identical as giving them Administrator rights inside Jenkins.”
Whereas entry to Script Console is usually restricted solely to authenticated customers with administrative permissions, misconfigured Jenkins cases may inadvertently make the “/script” (or “/scriptText”) endpoint accessible over the web, making it ripe for exploitation by attackers seeking to run harmful instructions.
Development Micro stated it discovered cases of risk actors exploiting the Jenkins Groovy plugin misconfiguration to execute a Base64-encoded string containing a malicious script that is designed to mine cryptocurrency on the compromised server by deploying a miner payload hosted on berrystore[.]me and organising persistence.
“The script ensures it has sufficient system sources to carry out the mining successfully,” the researchers stated. “To do that, the script checks for processes that eat greater than 90% of the CPU’s sources, then proceeds to kill these processes. Moreover, it should terminate all stopped processes.”
To safeguard in opposition to such exploitation makes an attempt, it is suggested to make sure correct configuration, implement sturdy authentication and authorization, conduct common audits, and prohibit Jenkins servers from being publicly uncovered on the web.
The event comes as cryptocurrency thefts arising from hacks and exploits have surged within the first half of 2024, permitting risk actors to plunder $1.38 billion, up from $657 million year-over-year.
“The highest 5 hacks and exploits accounted for 70% of the full quantity stolen up to now this yr,” blockchain intelligence platform TRM Labs said. “Non-public key and seed phrase compromises stay a prime assault vector in 2024, alongside good contract exploits and flash mortgage assaults.”