JenkinsMiner Cryptocurrency Botnet
JenkinsMiner is a newly observed cryptocurrency mining botnet that targets servers running Jenkins, a popular Java-based automation platform.
By sending 2 subsequent requests to the CLI interface the crypto-miner operator exploits the known CVE-2017-1000353 vulnerability in the Jenkins Java deserialization implementation. The vulnerability is due to lack of validation of the serialized object, which allows any serialized object to be accepted.
The attacker operating the JenkinsMiner botnet is leveraging a known remote code execution vulnerability to compromise the targeted devices. A lack of validation when Jenkins handles serialised objects can be exploited by sending two specially crafted requests, resulting in Jenkins allowing a user to execute commands on the server. The attacker then downloads and installs a remote access trojan combined with XMRig, a popular Monero mining application.
This malware has previously been seen targeting Windows devices, but it is theorised the attacker has moved on to target more powerful servers in order to increase their profits.
Domains and IP’s Assiciated To This
- 222[.]184[.]79[.]11
- 183[.]136[.]202[.]244
- btc[.]poolbt[.]com
- shell[.]poolbt[.]com
- xmr[.]btgirl[.]com[.]cn
- btc[.]btgirl[.]com[.]cn
Affected Platforms
Jenkins automation servers – Versions prior to 2.54
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.