JenkinsMiner Cryptocurrency Botnet

JenkinsMiner is a newly observed cryptocurrency mining botnet that targets servers running Jenkins, a popular Java-based automation platform.

Threat ID:: CC-2073
Category:: Botnet
Threat Severity:: Medium
Threat Vector:: Exploit
Published:: 22 February 2018 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

JenkinsMiner is a newly observed cryptocurrency mining botnet that targets servers running Jenkins, a popular Java-based automation platform.

Threat details

The attacker operating the JenkinsMiner botnet is leveraging a remote code execution vulnerability, CVE-2017-1000353, to compromise the targeted devices. A lack of validation when Jenkins handles serialised objects can be exploited by sending two specially crafted request, resulting in Jenkins allowing a user to execute commands on the server. The attacker then downloads and installs a remote access trojan combined with XMRig, a popular Monero mining application.

This malware has previously been seen targeting Windows devices but it is theorised the attacker has moved on to target more powerful servers in order to increase their profits.

Remediation advice

To avoid botnet infection:

Remediation steps

Type	Step
	A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails. All operating systems, antivirus and other security products are kept up to date. All day to day computer activities such as email and internet are performed using non-administrative accounts. Strong password policies are in place and password reuse is discouraged. Network, proxy and firewall logs should be monitored for suspicious activity. User accounts accessed from infected machines should be reset on a clean computer. Additionally, Jenkins have confirmed that versions 2.54 and later are no longer susceptible to this vulnerability. Users should update to the newest version where possible. Alternatively, a workaround has been provided in Jenkins Security Advisory 2017-04-26 if updating is not possible.

Type

Step

A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails.
All operating systems, antivirus and other security products are kept up to date.
All day to day computer activities such as email and internet are performed using non-administrative accounts.
Strong password policies are in place and password reuse is discouraged.
Network, proxy and firewall logs should be monitored for suspicious activity.
User accounts accessed from infected machines should be reset on a clean computer.

Additionally, Jenkins have confirmed that versions 2.54 and later are no longer susceptible to this vulnerability. Users should update to the newest version where possible. Alternatively, a workaround has been provided in Jenkins Security Advisory 2017-04-26 if updating is not possible.

CVE Vulnerabilities

Status

CVE-2017-10003

Last edited: 17 February 2020 12:46 pm