SANS expert Renato Marinho uncovered an ongoing malicious campaign that is targeting vulnerable Apache Jenkins installs to deliver a Monero
According to the SANS Institute’s Internet Storm Center, attackers are exploiting the CVE-2018-1000861 vulnerability in the Stapler HTTP request handling engine used by Jenkins servers.
Jenkins is the most popular open source automation server, it is maintained by CloudBees and the Jenkins community. The automation server supports developers build, test and deploy their applications, it has hundreds of thousands of active installations worldwide with more than 1 million users.
The vulnerability was addressed in December 2018 by the Jenkins development team that warned of the following potential attacks:
According to SANS handler Renato Marinho, a proof-of-concept (PoC) exploit for CVE-2018-1000861 was released in early March.
Marinho noticed some attacks hit one of his honeypots attempting to exploit this Jenkins vulnerability to deliver the Kerberods cryptominer.
“Looking for publicly available exploits for this vulnerability, I could find a detailed proof of concept published early March this year.” reads the analysis published by Marinho.
“After analyzing the threat which attacked one of my honeypots, I created the diagram shown in the picture below. Follow the numbers in blue to understand each step.”
The Kerberods dropper is packed with a custom version of the UPX packer, it attempts to obtain root privileges to hide its presence and gain persistence.
“After analyzing the binary, I could see that the packer used was a custom version of ‘UPX’. UPX is an open source software and there are many ways UPX can be modified to make it hard to unpack the file using regular UPX version.” continues the analysis. “Fortunately, in this case, the UPX customizations involved just the modification of the magic constant UPX_MAGIC_LE32 from ‘UPX’ to some other three letters. Thus, reverting it to UPX in different parts of the binary, it was possible to unpack the binary with the regular version of UPX. “
Once obtained the root permissions, Kerberods will load a library into the operating system that hooks different functions of Glibc, acting like a rootkit.
In the absence of root permissions, the malware created a cron job to ensure persistence.
Kerberods downloads and executes a Monero cryptocurrency miner on the infected system, it also uses local SSH keys for lateral movements. The malware also search for other vulnerable Jenkins servers on the internet.