09 July 2024NewsroomCI/CD Security/Server Security

Jenkins Groovy Plugin

Cybersecurity researchers have found that it is possible for attackers to weaponize misconfigured Jenkins Script console instances for further criminal activities such as cryptocurrency mining.

“Misconfigurations, such as improperly configured authentication mechanisms, expose the ‘/script’ endpoint to attackers,” Trend Micro’s Shubham Singh and Sunil Bharti said In a technical article published last week. “This can lead to remote code execution (RCE) and abuse by malicious actors.”

Jenkins, a popular continuous integration and continuous delivery (CI/CD) platform, features a Groovy Script console that allows users to run arbitrary Groovy scripts within the Jenkins controller runtime.

Cyber ​​security

The project maintainers, in the official documentation, clearly note that the web-based Groovy shell can be used to read files containing sensitive data (for example, “/etc/passwd”), from Jenkins. To decrypt credentials configured inside, and even reset security settings.

The console “offers no administrative controls to prevent a user (or admin) from affecting all parts of the Jenkins infrastructure once they are able to run the script console.” reads documents. “Giving a normal Jenkins user access to the script console is essentially equivalent to giving them administrator rights within Jenkins.”

Although access to the script console is normally restricted to authenticated users with administrative permissions, misconfigured instances of Jenkins can inadvertently make the “/script” (or “/scriptText”) endpoint accessible on the Internet. are, which can be developed for attackers to exploit. Dangerous orders

Trend Micro said it found examples of threat actors exploiting a misconfiguration of the Jenkins Groovy plugin to execute a base64-encoded string containing a malicious script hosted on the BerryStore. A miner is designed to mine cryptocurrency on a compromised server by deploying the payload.[.]Establishing me and persistence.

“The script ensures that it has enough system resources to perform mining efficiently,” the researchers said. “To do this, the script checks for processes that use more than 90% of CPU resources, then proceeds to kill those processes. Additionally, it should kill all suspended processes. Will.”

Cyber ​​security

To protect against such exploit attempts, it is recommended to ensure proper configuration, enforce strong authentication and authorization, perform regular audits, and prevent Jenkins servers from being publicly exposed on the Internet.

The development comes as cryptocurrency theft stemming from hacks and exploits increased in the first half of 2024, allowing threat actors to loot $1.38 billion, up $657 million year-over-year. More than a million.

“The top five hacks and exploits accounted for 70 percent of the total amount stolen so far this year,” said blockchain intelligence platform TRM Labs. said. “Private key and seed phrase compromises remain a top attack vector in 2024, along with smart contract exploits and flashloan attacks.”

Did you find this article interesting? Follow us. Twitter And LinkedIn To read more exclusive content we post.

Source link