Search This Blog

Malicious Actor Claims Targeting IBM & Stanford University

Malicious actors exploited the company's public asset port 9443 by using search engines.


Jenkins was mentioned as one of the TTPs employed by spyware in a report on a British cybercrime forum found by CloudSEK's contextual AI digital risk platform XVigil. To boost ad clickthroughs, this module features stealth desktop takeover capabilities. Based on unofficial talks, CloudSEK experts anticipate that this harmful effort will increase attempts to infect bots. 

Evaluation of threats 

A malicious actor detailed how they hacked into a major organization by taking advantage of a flaw in the Jenkins dashboard in a post on a cybercrime site on May 7, 2022. 

Previously, the same threat actor was observed giving access to IBM. In addition, the actor provided evidence of a sample screenshot showing their alleged connection to a Jenkins dashboard. 

The malicious actors came upon a Jenkins dashboard bypass that had internal hosts, scripts, database logins, and credentials. They exploited the company's public asset port 9443 by using search engines like Shodan as per researchers. 

After receiving data, the actor employed a custom debugging script to find vulnerable targets for bypassing rproxy misconfiguration. 

Origin of the threat actor

The hacker claimed they previously targeted IBM Tech Company as well, in particular internal administrators' scripts and firewall configurations for internal networks, in other posts by the same person on the cybercrime site.

The actor also stated the following exploit narrative as to how to get into Stanford University in their future posts: 
  • The actor counted all the subdomains connected to the University using the Sudomy tool. 
  • The actor then applied a path, such as -path /wp-content/plugins/, to the domains using httpx. 
  • An attacker can execute RCE on the plugin by returning data from all of the subdomains that have a valid path with the susceptible zero-day vulnerability. 

According to CloudSEK, which reported the threats, other entities could execute similar exploits using the threat actor's TTP. "Modules like these can facilitate complex ransomware assaults and persistence," the security experts said while adding that threat actors "could migrate laterally, infecting the network, to retain persistence and steal credentials." 

Actors may utilize revealed credentials to access the user's other accounts because password reuse is standard practice. For reference, the malicious actors also took credit for hacking Stanford University and Jozef Safarik University in Slovakia. 

According to reports from XVigil, official access to the domains was reportedly found in several nations, including Ukraine, Pakistan, United Arab Emirates, and Nepal. 
Share it:

Data Breach



Jenkins servers

Malicious actor


Zero- day vulnerability