Hackers are targeting Jenkins CI servers, the popular open source automation server written in Java, to deploy malware and secretly mine millions of dollars worth of cryptocurrency, security researchers have discovered.
According to Check Point researchers, the cybercriminals behind the JenkinsMiner campaign are believed to be of Chinese origin who have garnered over $3m worth of Monero cryptocurrency over the past 18 months by targeting multiple versions of Windows.
The attackers have been exploiting the CVE-2017-1000353 vulnerability in the Jenkins Java deserialisation implementation, researchers wrote in a blog post published on Thursday (15 February). By targeting this vulnerability, hackers have been coaxing Jenkins servers into downloading and installing a Monero miner.
"The operation uses a hybridization of a Remote Access Trojan (RAT) and XMRig miner over the past months to target victims around the globe," researchers said. "The miner is capable of running on many platforms and Windows versions, and it seems like most of the victims so far are personal computers.
"With every campaign, the malware has gone through several updates and the mining pool used to transfer the profits is also changed. Although the attack is well operated and maintained, and many mining-pools are used to collect the profits out of the infected machines, it seems that the operator uses only one wallet for all deposits and does not change it from one campaign to the next."
At the time of writing, the hackers have mined and cashed over 10,800 Monero (currently $3.3m, £2.34m) in the JenkinsMiner campaign.
Check Point researchers said the scheme could potentially become "one of the biggest malicious mining operations ever seen".
"As seen in our previous report of the RubyMiner, these types of attacks can be incredibly lucrative. Similar to the RubyMiner as well, the JenkinsMiner could negatively impact the servers, causing slower load times and even issuing a Denial of Service (DoS)," researchers warned. "Depending on the strength of the attack, this could prove to be very detrimental to the machines."
In recent months, hackers have been caught exploiting vulnerabilities in different servers to secretly install cryptomining software and generate digital currencies using the computing power of victims' systems.
The RubyMiner malware uncovered by CheckPoint last month targeted Linux and Windows servers running outdated software to plant the XMRing cryptominer and hijack vulnerable systems to mine digital currencies.
Hackers have also been found exploiting a critical flaw in Oracle WebLogic servers that was patched last year to mine cryptocurrency as well.