Exposed Jenkins Servers

At-Bay provides cyber insurance for the digital age. Learn more at at-bay.com.

In the past few weeks hackers have looked to misconfigured Jenkins servers for new opportunities to profit from a cyber attack. Jenkins is an open source engineering tool that automates the deployment of applications and it is the most popular software deployment server in the world. These hackers login freely to obtain valuable data that lead to easily performed attacks.

Probability of Attack

The search engine Shodan helps hackers automate Jenkins discovery. Other tools give attackers the ability to automatically discover the existence of valuable data. Since these tools are widely available and easy to use for automated discovery, we consider the probability of this kind of attack to be high.

Severity of Risk

Jenkins facilitates software deployment. As a result of this major role, Jenkins stores credentials to code repositories, databases, hosting services, and often sensitive user data. Given the breadth and sensitivity of the data that Jenkins stores, the severity of this risk is also high.

Insurance Coverage

An exploited Jenkins server, or any other deployment automation server, will lead to at least the following damages:

1. Incident response. As a result of this exploit, you will have to remove your automation server from facing the internet, and validate that attackers didn’t traverse your network.
2. Attack damages. In the case of traversal, you can also expect extortion if systems are hijacked, business interruption if systems deployment is damaged by the lack of automation done by Jenkins, and data breach if the stolen data is used to attack additional databases.

What to do

Keep your internal assets private. If you have a security operation program managed internally or with an MSSP, you should prioritize asset management and periodic checks of internet-facing assets. If your organization doesn’t currently have a security operation program, you should initiate one as soon as possible. The right attack at the right time could bring a business down. With the data stored in Jenkins, your business might be down indefinitely.

Etai Hochman

At-Bay, CTO