Hackers exploiting Jenkins servers made $3 million in one of the biggest malicious cryptocurrency mining operations ever. Credit: Thinkstock If you run a Jenkins server, you might want to make sure it is fully patched, since researchers found “one of the biggest malicious mining operations ever discovered.” The cyber crooks have already made more than $3 million by installing malware that mines for Monero on vulnerable Windows machines. And now they are honing in on vulnerable, yet powerful, Jenkins servers.“The operation uses a hybridization of a Remote Access Trojan (RAT) and XMRig miner” that is “capable of running on many platforms and Windows versions,” the security firm Check Point revealed. Most victims, so far, were “personal computers. With every campaign, the malware has gone through several updates and the mining pool used to transfer the profits is also changed.”Over the past 18 months, the hackers have accumulated 10,800 Monero, which is currently worth $3,436,776.“The perpetrator, allegedly of Chinese origin, has been running the XMRig miner on many versions of Windows, and has already secured him over $3 million worth of Monero crypto-currency,” added Check Point. “As if that wasn’t enough though, he has now upped his game by targeting the powerful Jenkins CI server, giving him the capacity to generate even more coins.” With an estimated 1 million users, the Jenkins Continuous Integration server, an open-source automation server written in Java, has been called “the most widely deployed automation server.” Check Point referred to Jenkins as “the ‘go to’ CI and DevOps orchestration tool. Unfortunately, though, due to its incredible power, often hosted on large servers, this also makes it a prime target for crypto-mining attacks.”The attackers are leveraging CVE-2017-1000353, a flaw disclosed in a Jenkins security advisory issued in April 2017. Besides making the attackers millionaires, the “JenkinsMiner” could impact servers by slowing their performance and issuing denial of service. How the JenkinsMiner exploit campaign worksAccording to CheckPoint, the JenkinsMiner campaign involves sending two “subsequent requests to the CLI interface” so the “crypto-miner operator exploits the known CVE-2017-1000353 vulnerability in the Jenkins Java deserialization implementation. The vulnerability is due to lack of validation of the serialized object, which allows any serialized object to be accepted.”After sending the first session request, the second crafted request is immediately issued. The second crafted request contains “two serialized objects with the injected PowerShell code to execute the JenkinsMiner.”The miner was downloaded from an IP address in China which was assigned to the organization “Huaian E-Government Information Center.”Despite there being multiple mining pools, the attack is using only one wallet. Check Point explained:“Although the attack is well operated and maintained, and many mining-pools are used to collect the profits out of the infected machines, it seems that the operator uses only one wallet for all deposits and does not change it from one campaign to the next. So far, $3 million has been mined.” Related content news Dow Jones watchlist of high-risk businesses, people found on unsecured database A Dow Jones watchlist of 2.4 million at-risk businesses, politicians, and individuals was left unprotected on public cloud server. By Ms. Smith Feb 28, 2019 4 mins Data Breach Hacking Security news Ransomware attacks hit Florida ISP, Australian cardiology group Ransomware attacks might be on the decline, but that doesn't mean we don't have new victims. A Florida ISP and an Australian cardiology group were hit recently. By Ms. Smith Feb 27, 2019 4 mins Ransomware Security news Bare-metal cloud servers vulnerable to Cloudborne flaw Researchers warn that firmware backdoors planted on bare-metal cloud servers could later be exploited to brick a different customer’s server, to steal their data, or for ransomware attacks. By Ms. Smith Feb 26, 2019 3 mins Cloud Computing Security news Meet the man-in-the-room attack: Hackers can invisibly eavesdrop on Bigscreen VR users Flaws in Bigscreen could allow 'invisible Peeping Tom' hackers to eavesdrop on Bigscreen VR users, to discreetly deliver malware payloads, to completely control victims' computers and even to start a worm infection spreading through VR By Ms. Smith Feb 21, 2019 4 mins Hacking Vulnerabilities Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe