A server of the Jenkins project hacked by exploiting a Confluence flaw

The development team behind the Jenkins server disclose a security breach, threat actors deployed a cryptocurrency miner on one of its servers.

The development team behind the Jenkins Project disclosed a security breach after threat actors compromised one of their internal servers and installed a cryptocurrency miner.

Jenkins is the most popular open-source automation server, it is maintained by CloudBees and the Jenkins community. The automation server supports developers build, test and deploy their applications, it has hundreds of thousands of active installations worldwide with more than 1 million users.

The attackers breached a deprecated Confluence service used by the organization exploiting the Confluence CVE-2021-26084 vulnerability. In response to the incident, the Jenkins team took the affected server offline and launched an investigation into the security incident.

“Earlier this week the Jenkins infrastructure team identified a successful attack against our deprecated Confluence service. We responded immediately by taking the affected server offline while we investigated the potential impact. At this time we have no reason to believe that any Jenkins releases, plugins, or source code have been affected.” reads the security breach notification published by the development team. “Thus far in our investigation, we have learned that the Confluence CVE-2021-26084 exploit was used to install what we believe was a Monero miner in the container running the service. From there an attacker would not be able to access much of our other infrastructure. Confluence did integrate with our integrated identity system which also powers Jira, Artifactory, and numerous other services. The trust and security in Jenkins core and plugin releases is our highest priority. We do not have any indication that developer credentials were exfiltrated during the attack.”

The maintainers of the project are not aware of any compromise for Jenkins releases, plugins, or source code have been affected.

Threat actors started exploiting the CVE-2021-26084 vulnerability in Atlassian’s Confluence enterprise collaboration product a few days after it was patched by the vendor. At the time of this writing, experts only observed threat actors exploiting the issue to deliver cryptocurrency miners, but attackers could start exploiting them to deliver other malware, including ransomware.

Last week, Atlassian released security patches to address the critical CVE-2021-26084 flaw that affects the Confluence enterprise collaboration product.

The flaw is an OGNL injection issue that can be exploited by an authenticated attacker to execute arbitrary code on affected Confluence Server and Data Center instances.

“An OGNL injection vulnerability exists that would allow an authenticated user, and in some instances unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance. ” reads the advisory published by the company.

The issue was discovered by Benny Jacob (SnowyOwl) through the Atlassian public bug bounty program, the vulnerability received a CVSS score of 9.8.

Affected versions are:

• version < 6.13.23
• 6.14.0 ≤ version < 7.4.11
• 7.5.0 ≤ version < 7.11.5
• 7.12.0 ≤ version < 7.12.5

CISA also published a security advisory to urge admins to apply the Confluence security updates released on August 25, 2021by Atlassian.

US Cyber Command (USCYBERCOM) has issued last week an alert to warn US organizations to address Atlassian Confluence CVE-2021-26084 vulnerability immediately, ahead of the Labor Day weekend.

Researchers from Threat intelligence firm Bad Packets detected mass scanning and exploit activity targeting Atlassian Confluence servers vulnerable to the above RCE.

According to a post published by Censys, which performed multiple Internet scans for vulnerable Confluence servers, 12,876 individual IPv4 hosts are currently running an exploitable version of the software.

“Just days before this vulnerability was made public, our historical data showed that the internet had over 14,637 exposed and vulnerable Confluence servers. Compare that to the current day, September 1st, where Censys identified 14,701 services that self-identified as a Confluence server, and of those, 13,596 ports and 12,876 individual IPv4 hosts are running an exploitable version of the software.” reads the analysis published by Censys.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Jenkins)

[adrotate banner=”5″]

[adrotate banner=”13″]