Hacker Group Makes $3 Million by Installing Monero Miners on Jenkins Servers

JenkinsMiner

A hacker group has made over $3 million by breaking into Jenkins servers and installing malware that mines the Monero cryptocurrency.

Hackers are targeting Jenkins, a continuous integration/deployment web application built in Java that allows dev teams to run automated tests and execute various operations based on test results, including deploying new code to production servers. Because of this, Jenkins servers are extremely popular with both freelance web developers, but also with large enterprises.

On Friday, Israeli security firm Check Point announced it uncovered the footprint of a large hacking operation targeting Jenkins servers left connected to the Internet.

Hackers using Jenkins RCE flaw

Attackers were leveraging CVE-2017-1000353, a vulnerability in the Jenkins Java deserialization implementation that allows attackers to run malicious code remotely without needing to authenticate first.

Check Point says hackers used this vulnerability to make Jenkins servers download and install a Monero miner (minerxmr.exe).

The miner was being downloaded from an IP address located in China and assigned to the Huaian government network. It is unclear if this is the attacker’s server, or a compromised server used to host the miner on behalf of the hackers.

The attackers have been active for months. This has allowed them to mine and already cash out over 10,800 Monero, which is over $3.4 million, at the time of writing.

Jenkins campaign payouts

Researchers say the group appears to have compromised mostly Jenkins instances running on Windows operating systems.

Over 25,000 Jenkins servers left exposed online

Attackers aren’t the only ones who’ve noticed the large number of Jenkins servers available online. In mid-January, security researcher Mikail Tunç published research highlighting that there were over 25,000 Jenkins servers left exposed to Internet connections at the time of his research.

Also on Friday, FireEye released new research on other hackers leveraging the CVE-2017-10271 flaw to infect Oracle WebLogic servers with malware. This vulnerability has been under active exploitation since early December 2017, and one group has already made more than $226,000.

Besides Jenkins and Oracle WebLogic servers, hackers are also targeting Ruby on Rails, PHP, and IIS servers, also deploying Monero-mining malware.

Monero-mining malware is already this year’s biggest malware trend/problem, with numerous malware distribution campaigns spreading such payloads on any unsecured computer/server crooks can get their hands on.