Biggest Crypto Hacking Operation Ever Uncovered

Read Time: 2 min.

Hackers are targeting Jenkins CI servers to exploit a vulnerability and secretly mine millions of dollars worth of cryptocurrency.

Researchers have uncovered what is believed to be the largest hacking operation dedicated to mining cryptocurrency around, a shadowy organisation that has raised millions already.

The group, allegedly of Chinese origin, is thought to have mined more than $3m worth of cryptocurrency over the past 18 months by targeting Windows vulnerabilities. However, researchers from Check Point have now identified the group’s new target - Jenkins CI servers, a popular open source automation server written in Java.

Unfortunately for the estimated more than a million users of Jenkins CI, the CVE-2017-1000353 vulnerability in the Jenkins Java deserialisation implementation allows hackers relatively easy access. The vulnerability is caused by a lack of validation of the serialised object, which allows any serialised object to be accepted.

The attackers are using two subsequent requests to the CLI interface in order to create a session and then a second crafted request containing the Capability object that informs the server for the client capabilities and the second is the Command object which contains the Monero miner payload.

“ The operation uses a hybridization of a Remote Access Trojan (RAT) and XMRig miner over the past months to target victims around the globe. The miner is capable of running on many platforms and Windows versions, and it seems like most of the victims so far are personal computers. With every campaign, the malware has gone through several updates and the mining pool used to transfer the profits is also changed ”, noted the researchers.

Although the hacker or hackers are competent and well-disciplined, using multiple attack vectors on Windows machines and now Jenkins CI servers, as well as a raft of various mining pools, they have left some digital fingerprints, with one pool wallet alone displaying a balance of approximately $3 million. The group are the latest to use the XMRig Monero miner, which recently was part of a mining attack that hit 15 million users across the globe.

Ilia Kolochenko, CEO, High-Tech Bridge commented on the earlier attack that: “ With the steady growth and popularity of digital currencies, we should expect the continuous and persistent growth of attacks targeting cryptocurrency wallets and/or installing malware to mine the coins.

“ As opposed to the regulated world of credit cards, PayPal or bank accounts, digital currencies are a unique opportunity for cybercriminals to use stolen [digital] money without risk of being halted or having their money frozen. Law enforcement and government bodies have virtually no control over digital coins and cannot intervene at the moment. Therefore, using all previously available and some emerging techniques within phishing and drive-by-download attacks, cyber criminals will likely focus their efforts on crypto currencies in the near future. ”

A recent investigation into cryptocurrency apps by High-Tech Bridge found that vulnerabilities are extensive in spite of the rising value of cryptocurrencies. Using the free online service Mobile X-Ray, which delivers SAST, DAST and IAST capabilities for native and hybrid Android and iOS applications, and also tests for various vulnerabilities including OWASP Mobile Top 10, the results should serve as food for thought.

Of the first 30 applications with more than 500,000 installations, the initial 94 per cent all contained at least 3 medium-risk vulnerabilities, while a further 77 per cent of applications contained at least 2 high-risk vulnerabilities. Half of the apps were sending [potentially] sensitive data with weak or insufficient encryption, and a whopping 94 per cent of the applications tested are using implementations of SSL or TLS banned under PCI DSS.