Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Jenkins servers. Show all posts

Malicious Actor Claims Targeting IBM & Stanford University

 

Jenkins was mentioned as one of the TTPs employed by spyware in a report on a British cybercrime forum found by CloudSEK's contextual AI digital risk platform XVigil. To boost ad clickthroughs, this module features stealth desktop takeover capabilities. Based on unofficial talks, CloudSEK experts anticipate that this harmful effort will increase attempts to infect bots. 

Evaluation of threats 

A malicious actor detailed how they hacked into a major organization by taking advantage of a flaw in the Jenkins dashboard in a post on a cybercrime site on May 7, 2022. 

Previously, the same threat actor was observed giving access to IBM. In addition, the actor provided evidence of a sample screenshot showing their alleged connection to a Jenkins dashboard. 

The malicious actors came upon a Jenkins dashboard bypass that had internal hosts, scripts, database logins, and credentials. They exploited the company's public asset port 9443 by using search engines like Shodan as per researchers. 

After receiving data, the actor employed a custom debugging script to find vulnerable targets for bypassing rproxy misconfiguration. 

Origin of the threat actor

The hacker claimed they previously targeted IBM Tech Company as well, in particular internal administrators' scripts and firewall configurations for internal networks, in other posts by the same person on the cybercrime site.

The actor also stated the following exploit narrative as to how to get into Stanford University in their future posts: 
  • The actor counted all the subdomains connected to the University using the Sudomy tool. 
  • The actor then applied a path, such as -path /wp-content/plugins/, to the domains using httpx. 
  • An attacker can execute RCE on the plugin by returning data from all of the subdomains that have a valid path with the susceptible zero-day vulnerability. 

According to CloudSEK, which reported the threats, other entities could execute similar exploits using the threat actor's TTP. "Modules like these can facilitate complex ransomware assaults and persistence," the security experts said while adding that threat actors "could migrate laterally, infecting the network, to retain persistence and steal credentials." 

Actors may utilize revealed credentials to access the user's other accounts because password reuse is standard practice. For reference, the malicious actors also took credit for hacking Stanford University and Jozef Safarik University in Slovakia. 

According to reports from XVigil, official access to the domains was reportedly found in several nations, including Ukraine, Pakistan, United Arab Emirates, and Nepal. 

12,000+ Jenkins servers can be used to launch DDoS attacks


According to Radware researchers, a vulnerability (CVE-2020-2100) in 12,000+ Jenkins servers can be exploited to launch and amplify DDoS attacks to internet hosts.




The said vulnerability can also be abused and triggered by a spoofed UDP packet to launch DoS attacks against the internet server in a repeated sequence of replies that can only be stopped by rebooting the server.

 The vulnerability (CVE-2020-2100) 

CVE-2020-2100 vulnerability was discovered by Adam Thorn from the University of Cambridge. It is caused by a network discovery service, present by default and enabled in public facing servers.

Radware researchers explains, “The vulnerability allows attackers to abuse Jenkins servers by reflecting UDP requests off port UDP/33848, resulting in an amplified DDoS attack containing Jenkins metadata. This is possible because Jenkins/Hudson servers do not properly monitor network traffic and are left open to discover other Jenkins/Hudson instances”.

 “An attacker can either send a UDP broadcast packet locally to 255.255.255.255:33848 or they could send a UDP multicast packet to JENKINS_REFLECTOR:33848. When a packet is received, regardless of the payload, Jenkins/Hudson will send an XML response of Jenkins metadata in a datagram to the requesting client, giving attackers the ability to abuse its UDP multicast/broadcast service to carry out DDoS attacks.”

Although the CVE-2020-2100 vulnerability was fixed in Jenkins 2.219 and LTS 2.204.2 two weeks ago.

 “Administrators that need these features can re-enable them again by setting the system property hudson.DNSMultiCast.disabled to false (for DNS multicast) or the system property hudson.udp to 33848, or another port (for UDP broadcast/multicast),” developers from Jenkins explained.

 The danger from the vulnerability 

Pascal Geenens, Cyber Security Evangelist for Radware said, “Much like was the case with memcached, people that design and develop on the open source Jenkins project assume that these servers will be internally facing”.

But contrary to that, the Jenkins servers were exposed to the public. Nearly 13,000 vulnerable servers were distributed globally including Asia, Europe and North America to the top service providers. “Many DevOps teams depend upon Jenkins to build, test and continuously deploy their applications running in cloud and shared hosting environments such as Amazon, OVH, Hetzner, Host Europe, DigitalOcean, Linode, and many more” Geenens stated.

The researchers concluded, "Combined with over 12,000 exposed Jenkins servers globally, it creates a viable DDoS threat. "