Crypto-Miners Now Target Jenkins Servers

It’s one thing to discover a $10 note on the street, it’s quite another to happen upon $3 million in a Monero crypto-currency wallet. The Check Point research team recently came across such a finding and traced it to what can safely be called one of the biggest malicious mining operations ever discovered.


For the past 18 months, this campaign has seen the XMRig miner malware running on many versions of Windows, draining personal computers of their computational resources. However, the threat actor, thought to be of Chinese origin, has now turned his attention to a far more powerful resource pool – the Jenkins CI server.


Used by DevOps teams around the world, Jenkins is the most popular open source automation server in use today. Indeed, with an estimated one million users, Jenkins is the ‘go to’ CI and DevOps orchestration tool. Unfortunately though, due to its incredible power, often hosted on large servers, this also makes it a prime target for crypto-mining attacks.


Putting Businesses in Danger

Businesses invest much effort and money in establishing powerful servers to support critical operations. However, as seen by our previous research into RubyMiner, due to their profitability these computational resources are now a choice target for malicious mining operators. Similar to RubyMiner, the JenkinsMiner could hugely impact the servers, causing slower performance times and even lead to a Denial of Service (DoS) attack, which could potentially be highly detrimental to the machines and business as a whole.

Despite the fact that some crypto-currencies have fallen in value over the past month, they are still a prized asset, and definitely valuable enough for this threat actor to ‘upgrade’ his capability of exploiting others to mine them. For sure it won’t be long before he has secured his next ill-gotten million!


How to Protect

Check Point’s IPS and Anti-Bot Protections have been successfully blocking this campaign since it started and continues to monitor it for any variants.

For full details on this discovery and how the exploitation of Jenkins servers has been carried out via XMRig, please visit our Research Blog.