Hackers exploit Jenkins servers, make $3 million by mining Monero

If you run a Jenkins server, you might want to make sure it is fully patched, since researchers found “one of the biggest malicious mining operations ever discovered.” The cyber crooks have already made more than $3 million by installing malware that mines for Monero on vulnerable Windows machines. And now they are honing in on vulnerable, yet powerful, Jenkins servers.

“The operation uses a hybridization of a Remote Access Trojan (RAT) and XMRig miner” that is “capable of running on many platforms and Windows versions,” the security firm Check Point revealed. Most victims, so far, were “personal computers. With every campaign, the malware has gone through several updates and the mining pool used to transfer the profits is also changed.”

Over the past 18 months, the hackers have accumulated 10,800 Monero, which is currently worth $3,436,776.

“The perpetrator, allegedly of Chinese origin, has been running the XMRig miner on many versions of Windows, and has already secured him over $3 million worth of Monero crypto-currency,” added Check Point. “As if that wasn’t enough though, he has now upped his game by targeting the powerful Jenkins CI server, giving him the capacity to generate even more coins.”

With an estimated 1 million users, the Jenkins Continuous Integration server, an open-source automation server written in Java, has been called “the most widely deployed automation server.” Check Point referred to Jenkins as “the ‘go to’ CI and DevOps orchestration tool. Unfortunately, though, due to its incredible power, often hosted on large servers, this also makes it a prime target for crypto-mining attacks.”

The attackers are leveraging CVE-2017-1000353, a flaw disclosed in a Jenkins security advisory issued in April 2017. Besides making the attackers millionaires, the “JenkinsMiner” could impact servers by slowing their performance and issuing denial of service.

How the JenkinsMiner exploit campaign works

According to CheckPoint, the JenkinsMiner campaign involves sending two “subsequent requests to the CLI interface” so the “crypto-miner operator exploits the known CVE-2017-1000353 vulnerability in the Jenkins Java deserialization implementation. The vulnerability is due to lack of validation of the serialized object, which allows any serialized object to be accepted.”

After sending the first session request, the second crafted request is immediately issued. The second crafted request contains “two serialized objects with the injected PowerShell code to execute the JenkinsMiner.”

The miner was downloaded from an IP address in China which was assigned to the organization “Huaian E-Government Information Center.”

Despite there being multiple mining pools, the attack is using only one wallet. Check Point explained:

“Although the attack is well operated and maintained, and many mining-pools are used to collect the profits out of the infected machines, it seems that the operator uses only one wallet for all deposits and does not change it from one campaign to the next. So far, $3 million has been mined.”