Category: Adversarial Intelligence	Threat Type: Threat Actor Services	Motivation: Financial	Region: Global	Source*: D4

Executive Summary

THREAT	IMPACT	MITIGATION
A threat actor has mentioned how Jenkins helped significantly in taking over sensitive accounts of an organization. The actor has a history of selling accesses for IBM, and web shell accesses for different government entities.	TTPs (Tactics, Techniques, and Procedures) used by the threat actor can be utilized by other attackers to conduct similar exploits. Modules like these can enable persistence and sophisticated ransomware attacks.	Patch software to their latest versions or implement them with a workaround. Audit and monitor anomalies in device networks that are indicators of possible compromise.

CloudSEK’s contextual AI digital risk platform XVigil identified a post on an English-speaking cybercrime forum mentioning Jenkins as one of the TTPs used by a threat actor. This module has hidden desktop takeover capabilities to get clicks on ads. Based on underground discussions, CloudSEK researchers expect this malicious campaign to ramp up bot infection attempts. [caption id="attachment_19845" align="aligncenter" width="1021"] Threat actor’s post on the cybercrime forum[/caption]  

Analysis and Attribution

Information from Cybercrime Forum

• On 07 May 2022, a threat actor published a post on a cybercrime forum describing the story of breaching a big company by exploiting a vulnerability in the Jenkins dashboard.
• It is interesting to note that the same threat actor was previously seen offering access to IBM.
• The actor has also proved a sample screenshot as a proof of their claimed access to a Jenkins dashboard.

[caption id="attachment_19846" align="aligncenter" width="446"] Sample shared by the threat actor while describing his TTP[/caption]  

TTPs (Tactics, Techniques, and Procedures)

• The threat actor encountered a Jenkins dashboard bypass which contained internal hosts and scripts along with database credentials and logins.
• The actor used search engines like Shodan to target port 9443 of the compromised company’s public asset.
• After getting the results, the actor used a private script for fuzzing to get vulnerable instances to exploit rproxy misconfiguration bypass.
• In their subsequent posts, the actor also mentioned the following exploit story about gaining access to the Stanford University:
  • The actor used the Sudomy tool to enumerate all the subdomains related to the University.
  • The actor then used httpx to provided the domains with a path such as -path /wp-content/plugins/.
  • A vulnerable zero-day exploit on the above plugin returns data from all the subdomains that have a valid path with the zero-day, which then allows an attacker to execute RCE on it.

The Threat Actor

• The actor has been actively posting about different exploits and accesses on the cybercrime forum. Few of the entities targeted by them include:

1. Network access to IBM Tech Company, including internal administrators scripts and firewall configurations for internal network. It contained the following information:
   1. Active Directory Users’ data
   2. SMTP login credentials
   3. RDP internal login credentials
   4. Access to two databases
   5. AWS RDS-based database
   6. 1 Log4j dashboard access
   7. 1 RCE dashboard access
   8. 1 WordPress dashboard access.
2. Jozef Safarik University, Slovakia.
3. Government accesses of the domains are from multiple countries including:
   1. Ukraine
   2. United Arab Emirates
   3. Pakistan
   4. Nepal
   5. Bhutan
   6. Kenya
   7. Srilanka
   8. Indonesia

Source Rating

• The actor is quite active on the cybercrime forum.
• The posts shared by the actor could be possibly true, but there is no proof of the exploits.

Hence,

• The reliability of the actor can be rated Not usually reliable (D).
• The credibility of the advertisement can be rated Doubtful (4).
• Giving overall source credibility of D4.

Impact & Mitigation

Impact	Mitigation
The TTPs used by the threat actor can be utilized by others to conduct similar exploits. Modules like these can enable persistence and sophisticated ransomware attacks. Threat actors might move laterally, infecting the network, to maintain persistence and steal credentials. Since password reuse is a common practice, actors could leverage exposed credentials to access other accounts of the user.	Patch software to their latest versions or implement them with a workaround. Audit and monitor anomalies in device networks that are indicators of possible compromise. Use MFA (multi-factor authentication) across all logins.

References

• *Intelligence source and information reliability - Wikipedia
• ^#Traffic Light Protocol - Wikipedia

Appendix

[caption id="attachment_19847" align="aligncenter" width="1033"] Another post made by threat actor selling RCE on web server targeting government entities from Ukraine, UAE, Thailand, Pakistan, Indonesia, and others.[/caption]