Cybersecurity researchers have found that it's possible for attackers to weaponize improperly configured Jenkins Script Console instances to further criminal activities such as cryptocurrency mining.
"Misconfigurations such as improperly set up authentication mechanisms expose the '/script' endpoint to attackers," Trend Micro's Shubham Singh and Sunil Bharti said in a technical write-up published last week. "This can lead to remote code execution (RCE) and misuse by malicious actors."
Jenkins, a popular continuous integration and continuous delivery (CI/CD) platform, features a Groovy script console that allows users to run arbitrary Groovy scripts within the Jenkins controller runtime.
The project maintainers, in the official documentation, explicitly note that the web-based Groovy shell can be used to read files containing sensitive data (e.g., "/etc/passwd"), decrypt credentials configured within Jenkins, and even reconfigure security settings.
The console "offers no administrative controls to stop a user (or admin) once they are able to execute the Script Console from affecting all parts of the Jenkins infrastructure," reads the documentation. "Granting a normal Jenkins user Script Console Access is essentially the same as giving them Administrator rights within Jenkins."
While access to Script Console is typically limited only to authenticated users with administrative permissions, misconfigured Jenkins instances could inadvertently make the "/script" (or "/scriptText") endpoint accessible over the internet, making it ripe for exploitation by attackers looking to run dangerous commands.
Trend Micro said it found instances of threat actors exploiting the Jenkins Groovy plugin misconfiguration to execute a Base64-encoded string containing a malicious script that's designed to mine cryptocurrency on the compromised server by deploying a miner payload hosted on berrystore[.]me and setting up persistence.
"The script ensures it has enough system resources to perform the mining effectively," the researchers said. "To do this, the script checks for processes that consume more than 90% of the CPU's resources, then proceeds to kill these processes. Furthermore, it will terminate all stopped processes."
To safeguard against such exploitation attempts, it's advised to ensure proper configuration, implement robust authentication and authorization, conduct regular audits, and restrict Jenkins servers from being publicly exposed on the internet.
The development comes as cryptocurrency thefts arising from hacks and exploits have surged in the first half of 2024, allowing threat actors to plunder $1.38 billion, up from $657 million year-over-year.
"The top five hacks and exploits accounted for 70% of the total amount stolen so far this year," blockchain intelligence platform TRM Labs said. "Private key and seed phrase compromises remain a top attack vector in 2024, alongside smart contract exploits and flash loan attacks."