| Category:
Adversarial Intelligence |
Threat Type:
Threat Actor Services |
Motivation:
Financial |
Region:
Global |
Source*:
D4 |
Executive Summary
| THREAT |
IMPACT |
MITIGATION |
- A threat actor has mentioned how Jenkins helped significantly in taking over sensitive accounts of an organization.
- The actor has a history of selling accesses for IBM, and web shell accesses for different government entities.
|
- TTPs (Tactics, Techniques, and Procedures) used by the threat actor can be utilized by other attackers to conduct similar exploits.
- Modules like these can enable persistence and sophisticated ransomware attacks.
|
- Patch software to their latest versions or implement them with a workaround.
- Audit and monitor anomalies in device networks that are indicators of possible compromise.
|
CloudSEK’s contextual AI digital risk platform
XVigil identified a post on an English-speaking cybercrime forum mentioning
Jenkins as one of the TTPs used by a threat actor. This module has hidden desktop takeover capabilities to get clicks on ads. Based on underground discussions, CloudSEK researchers expect this malicious campaign to ramp up bot infection attempts.
[caption id="attachment_19845" align="aligncenter" width="1021"]
Threat actor’s post on the cybercrime forum[/caption]
Analysis and Attribution
Information from Cybercrime Forum
- On 07 May 2022, a threat actor published a post on a cybercrime forum describing the story of breaching a big company by exploiting a vulnerability in the Jenkins dashboard.
- It is interesting to note that the same threat actor was previously seen offering access to IBM.
- The actor has also proved a sample screenshot as a proof of their claimed access to a Jenkins dashboard.
[caption id="attachment_19846" align="aligncenter" width="446"]
Sample shared by the threat actor while describing his TTP[/caption]
TTPs (Tactics, Techniques, and Procedures)
- The threat actor encountered a Jenkins dashboard bypass which contained internal hosts and scripts along with database credentials and logins.
- The actor used search engines like Shodan to target port 9443 of the compromised company’s public asset.
- After getting the results, the actor used a private script for fuzzing to get vulnerable instances to exploit rproxy misconfiguration bypass.
- In their subsequent posts, the actor also mentioned the following exploit story about gaining access to the Stanford University:
- The actor used the Sudomy tool to enumerate all the subdomains related to the University.
- The actor then used httpx to provided the domains with a path such as -path /wp-content/plugins/.
- A vulnerable zero-day exploit on the above plugin returns data from all the subdomains that have a valid path with the zero-day, which then allows an attacker to execute RCE on it.
The Threat Actor
- The actor has been actively posting about different exploits and accesses on the cybercrime forum. Few of the entities targeted by them include:
- Network access to IBM Tech Company, including internal administrators scripts and firewall configurations for internal network. It contained the following information:
- Active Directory Users’ data
- SMTP login credentials
- RDP internal login credentials
- Access to two databases
- AWS RDS-based database
- 1 Log4j dashboard access
- 1 RCE dashboard access
- 1 WordPress dashboard access.
- Jozef Safarik University, Slovakia.
- Government accesses of the domains are from multiple countries including:
- Ukraine
- United Arab Emirates
- Pakistan
- Nepal
- Bhutan
- Kenya
- Srilanka
- Indonesia
Source Rating
- The actor is quite active on the cybercrime forum.
- The posts shared by the actor could be possibly true, but there is no proof of the exploits.
Hence,
- The reliability of the actor can be rated Not usually reliable (D).
- The credibility of the advertisement can be rated Doubtful (4).
- Giving overall source credibility of D4.
Impact & Mitigation
| Impact |
Mitigation |
- The TTPs used by the threat actor can be utilized by others to conduct similar exploits.
- Modules like these can enable persistence and sophisticated ransomware attacks.
- Threat actors might move laterally, infecting the network, to maintain persistence and steal credentials.
- Since password reuse is a common practice, actors could leverage exposed credentials to access other accounts of the user.
|
- Patch software to their latest versions or implement them with a workaround.
- Audit and monitor anomalies in device networks that are indicators of possible compromise.
- Use MFA (multi-factor authentication) across all logins.
|
References
Appendix
[caption id="attachment_19847" align="aligncenter" width="1033"]
Another post made by threat actor selling RCE on web server targeting government entities from Ukraine, UAE, Thailand, Pakistan, Indonesia, and others.[/caption]
