[TheRecord] Jenkins project discloses security breach following Confluence server hack

The developers of the Jenkins server, one of the most widely used open-source automation systems, said they suffered a security breach after hackers gained access to one of their internal servers and deployed a cryptocurrency miner.

Despite the intrusion and malware deployment, the Jenkins team downplayed the severity of the breach in a statement published on Saturday.

Jenkins admins said the hacked server, which hosted the now-defunct Jenkins wiki portal (wiki.jenkins.io), had already been deprecated since October 2019 when the project moved its wiki and team collaboration systems from a self-hosted Atlassian Confluence server to the GitHub platform.

“At this time we have no reason to believe that any Jenkins releases, plugins, or source code have been affected,” the Jenkins team said over the weekend.

Following the discovery of the hack, Jenkins developers said they permanently took down the hacked Confluence server, rotated privileged credentials, and reset passwords for developer accounts.

Breach part of the larger Confluence attack wave

The Jenkins breach is part of a recent wave of attacks exploiting CVE-2021-26084 (also nicknamed Confluenza), an authentication bypass and command injection bug in Atlassian’s Confluence server.

As The Record first reported last Wednesday, attacks against Confluence servers began last week and ramped up after security researchers published a proof-of-concept exploit on GitHub.

Attacks exploded throughout the week, prompting US Cyber Command to issue a public warning on Friday, urging administrators to patch affected systems before they left for the US Labor Day extended weekend.

Mass exploitation of Atlassian Confluence CVE-2021-26084 is ongoing and expected to accelerate. Please patch immediately if you haven’t already— this cannot wait until after the weekend.

— USCYBERCOM Cybersecurity Alert (@CNMF_CyberAlert) September 3, 2021

The attacks, which most deployed cryptocurrency miners, according to security firms Bad Packets and Rapid7, are still ongoing.

According to internet monitoring project Censys, there are currently around 15,000 Atlassian Confluence servers that can be reached over the internet. 

According to Censys, on Sunday, September 5, there were 8,597 Confluence servers connected online and still vulnerable to CVE-2021-26084.

Image: Censys

The post Jenkins project discloses security breach following Confluence server hack appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

Daily NCSC-FI news followup 2020-08-14

NSA and FBI Cybersecurity Advisory – Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF Drovorub is a Linux malware toolset consisting of an implant coupled with a kernel module rootkit, a file transfer and port forwarding tool, and a Command and Control (C2) server. When deployed on a victim machine, the Drovorub implant […]

Read More

[BleepingComputer] Colonial Pipeline reports data breach after May ransomware attack

Colonial Pipeline, the largest fuel pipeline in the United States, is sending notification letters to individuals affected by the data breach resulting from the DarkSide ransomware attack that hit its network in May. […] Source: Read More (BleepingComputer)

Read More

[ZDNet] Brazilian insurance giant Porto Seguro hit by cyberattack

All posts, ZDNet

The incident caused instability to the company’s systems and customer service channels. Source: Read More (Latest topics for ZDNet in Security)

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.