Multiple D-Link Products Vulnerabilities
July 23, 2024Multiple Microsoft Windows Products Vulnerabilities
July 23, 2024Multiple D-Link Products Vulnerabilities
July 23, 2024Multiple Microsoft Windows Products Vulnerabilities
July 23, 2024Severity
High
Analysis Summary
It is conceivable for attackers to weaponize Jenkins Script Console instances that are configured incorrectly to support illegal operations like mining cryptocurrencies, according to cybersecurity researchers.
Attackers can access the '/script' endpoint due to misconfigurations, such as incorrectly configured authentication measures. Threat actors may take advantage of this and cause remote code execution (RCE). Users can run any Groovy script within the Jenkins controller runtime using the Groovy script console included in the well-known continuous integration and delivery (CI/CD) platform Jenkins.
The web-based Groovy shell can be used to read files holding sensitive information, decrypt passwords set up in Jenkins, and even adjust security settings, as the project maintainers openly state in the official documentation. Once a user (or administrator) can execute the Script Console, there are no administrative restrictions available in the console to prevent them from impacting any aspect of the Jenkins architecture. Giving an ordinary Jenkins user access to the Script Console is tantamount to granting them administrator privileges within the system.
Although authenticated users with administrative permissions are normally the only ones able to access Script Console, improperly configured Jenkins instances may unintentionally expose the "/script" (or "/scriptText") endpoint to the internet, leaving it vulnerable to attack by threat actors wishing to execute malicious commands. Researchers discovered cases where threat actors were able to run a malicious script encoded in Base64 and intended to mine cryptocurrency on the compromised server by deploying a miner payload hosted on berrystore[.]me and establishing persistence. This was done by taking advantage of a Jenkins Groovy plugin misconfiguration.
The script makes sure the system has sufficient resources to carry out the mining efficiently. To accomplish this, the script looks for processes that use more than 90% of the CPU's resources before killing them. Moreover, it will end all halted processes. It is recommended to make sure that the configuration is correct, to put strong authentication and authorization in place, to do frequent audits, and to prevent Jenkins servers from being publicly accessible online to protect against such exploitation efforts.
This development coincides with an increase in bitcoin thefts in the first half of 2024 due to breaches and exploits, which allowed threat actors to steal $1.38 billion, up from $657 million in the same period the previous year. This year, the top five exploits and hacks have taken 70% of the total money stolen. In 2024, smart contract exploits and flash loan attacks will still be the most common attack vectors, coupled with compromises of private keys and seed phrases.
Impact
- Remote Code Execution
- Exposure of Sensitive Data
- Privilege Escalation
- Cryptocurrency Theft
Indicators of Compromise
URL
- https://berrystore.me/line-auth/cex
- https://auto.c3pool.org:19999/
MD5
- 4963fb33ca90b2393505d93287daecdc
- d8c28fc0fad4d573818b587f95af5404
SHA-256
- 57fedfb431a717031f454d4fb2809d1f6d432a9edd900b07f0b9f9aca7fb3597
- 07ca2a2e0d6ccfcef2cb010fe80a831c963755cc6179aaa95fe6e04d7d076c89
SHA-1
- 3457db72ae702ce655f01dbf722d280dd8f69b42
- e5768a9f322164d82af5b15fe4ac84a29c8849de
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Never trust or open links and attachments received from unknown sources/senders.
- Implement multi-factor authentication to add an extra layer of security to login processes.
- Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
- Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
- Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
- Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
- Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
- Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
- Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
- Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.