Jenkins Vulnerability Exploited to Drop Kerberods Malware and Launch Monero Miner

Threat actors were found exploiting CVE-2018-1000861, a vulnerability in the Stapler web framework that is used by the Apache Jenkins open-source software development automation server with versions 2.153 and earlier. SANS Institute Internet Storm Center handler and Morphus Labs Chief Research Officer Renato Marinho discovered that, after successful exploitation of the Jenkins vulnerability, the Kerberods malware is dropped, which in turn launches a Monero cryptocurrency miner.

Jenkins had already released a security advisory concerning CVE-2018-1000861 in December 2018 when the vulnerability was uncovered by researchers.

[Read: AESDDoS Botnet Malware Exploits CVE-2019-3396 to Perform Remote Code Execution, DDoS Attacks, and Cryptocurrency Mining]

Kerberods obtains root privileges and deploys cryptocurrency miner

Marinho’s analysis notes that the dropper used in the campaign — Kerberods — has the capability to hide its activities on the system and to look for new victims on the internet and the local network.

The Kerberods variant is leveraged to gain root privileges over the affected system. It can also drop, compile, and load a library into the operating system that hooks functions of Glibc in an attempt to modify its behavior.

If the Kerberods variant fails to obtain root permissions, a cron job will be created for persistence. The variant will then proceed to download and execute a Monero cryptocurrency miner on the affected system. The same behavior was exhibited by another Kerberods variant (detected by Trend Micro as Trojan.Linux.KERBERDS.A) used in a campaign that exploited a vulnerability in the Confluence software. Marinho also found out that the variant has the ability to kill other existing cryptocurrency miners that might be present on the system.

Upon launching the cryptocurrency miner, the Kerberods variant will utilize local SSH keys to conduct lateral movement on the compromised network to search for new victims. In addition, the compromised system is also used by the threat actors to search the internet for other vulnerable Jenkins servers.

[Read: Previously Patched, Still Potentially Critical: Kubernetes’ Path Traversal Vulnerability]

Security recommendations and solutions

The abuse of this vulnerability in a software development automation server highlights the need for organizations to implement continuous monitoring in software development. This process should include identifying vulnerabilities and making use of the latest threat intelligence to defend against malware or exploits that abuse security flaws.

Organizations can also take advantage of the Trend Micro™ Hybrid Cloud Security solution, which provides powerful, streamlined, and automated security within the DevOps pipeline. This solution also delivers multiple XGen™ threat defense techniques for protecting physical, virtual, and cloud workloads. In addition, it protects containers via the Deep Security™ and Deep Security Smart Check solutions, which help DevOps and security teams scan and ensure the security of container images during preruntime and runtime.

Trend Micro Deep Security solutions protect systems from threats that may target CVE-2018-1000861 via the following rule:

  • 1009728 - Jenkins Stapler Web Framework Remote Code Execution Vulnerability

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.