Breach, Threat Management

Hackers install crypto miner on Jenkins project server via Confluence exploit

Hackers are targeting Atlassian Confluence document collaboration software en masse, leading U.S. Cyber Command to issue an urgent warning.  (“Atlassian Sydney Office All-Hands” by doctorDray is licensed under CC BY 2.0)
Hackers are targeting Atlassian Confluence document collaboration software en masse, leading U.S. Cyber Command to issue an urgent warning. ("Atlassian Sydney Office All-Hands" by doctorDray is licensed under CC BY 2.0)

The Jenkins project reported Friday that one of its servers was successfully attacked by hackers using a recently warned about Confluence vulnerability to install a cryptocurrency miner.

Confluence is a web-based collaboration tool, according to Atlassian’s description.

U.S. Cyber Command last week issued an urgent warning about an active, mass exploitation of Atlassian’s Confluence CVE-2021-26084 and issued a public plea via Twitter for users to patch the service immediately prior to the Labor Day weekend.

SC Media previously reported that CVE-2021-26084 is an OGNL-injection vulnerability patched Aug. 25 offering remote code execution that affects versions of the product before 6.13.23, 7.11.6, 7.12.5, 7.13.0, and 7.4.11. It was originally discovered through the firm's bug bounty program. The bug does not impact Confluence Cloud customers.

Though Jenkins reports on its blog that there is no reason to believe that any of its releases, plugins or source code was affected, the open-source automation server immediately took the affected server offline. 

“Thus far in our investigation, we have learned that the Confluence CVE-2021-26084 exploit was used to install what we believe was a Monero miner in the container running the service. From there an attacker would not be able to access much of our other infrastructure. Confluence did integrate with our integrated identity system which also powers Jira, Artifactory, and numerous other services,” according to Jenkins blog post.

Jenkins disabled the Confluence service, rotated privileged credentials and took other measures to reduce the scope of access across its infrastructure, Jenkins said on its blog.

Stephen Weigand

Stephen Weigand is managing editor and production manager for SC Media. He has worked for news media in Washington, D.C., covering military and defense issues, as well as federal IT. He is based in the Seattle area.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.