Hackers are targeting Atlassian Confluence document collaboration software en masse, leading U.S. Cyber Command to issue an urgent warning. ("Atlassian Sydney Office All-Hands" by doctorDray is licensed under CC BY 2.0)

The Jenkins project reported Friday that one of its servers was successfully attacked by hackers using a recently warned about Confluence vulnerability to install a cryptocurrency miner.

Confluence is a web-based collaboration tool, according to Atlassian’s description.

U.S. Cyber Command last week issued an urgent warning about an active, mass exploitation of Atlassian’s Confluence CVE-2021-26084 and issued a public plea via Twitter for users to patch the service immediately prior to the Labor Day weekend.

SC Media previously reported that CVE-2021-26084 is an OGNL-injection vulnerability patched Aug. 25 offering remote code execution that affects versions of the product before 6.13.23, 7.11.6, 7.12.5, 7.13.0, and 7.4.11. It was originally discovered through the firm's bug bounty program. The bug does not impact Confluence Cloud customers.

Though Jenkins reports on its blog that there is no reason to believe that any of its releases, plugins or source code was affected, the open-source automation server immediately took the affected server offline. 

“Thus far in our investigation, we have learned that the Confluence CVE-2021-26084 exploit was used to install what we believe was a Monero miner in the container running the service. From there an attacker would not be able to access much of our other infrastructure. Confluence did integrate with our integrated identity system which also powers Jira, Artifactory, and numerous other services,” according to Jenkins blog post.

Jenkins disabled the Confluence service, rotated privileged credentials and took other measures to reduce the scope of access across its infrastructure, Jenkins said on its blog.