Reportedly, CloudSEK used its artificial intelligence (AI)-powered digital risk platform XVigil to identify a post on a cybercrime forum mentioning open source automation server platform Jenkins as one of the TTP (tactics, techniques, and procedures) used by a threat actor (TA) in attacks against IBM and Stanford University.
Used by a TA to get clicks on ads, the module has hidden desktop takeover capabilities.
The post on the English-speaking forum was spotted by CloudSEK on 7th May 2022 and contained a sample screenshot as proof of their claimed access to a Jenkins dashboard.
Technically, the TA encountered a Jenkins dashboard bypass that contained internal hosts and scripts, as well as database credentials and logins.
The hacker would have used search engines like Shodan to target port 9443 of the compromised company’s public asset and then used a private script for fuzzing to get vulnerable instances to exploit rproxy misconfiguration bypass.
The same user posted additional posts onto the cybercrime forum in which the actor stated that they previously also targeted the IBM Tech Company, particularly internal administrators’ scripts and firewall configurations for internal networks.
CloudSEK, describing these attacks, said that the TTP used by the threat actors could be utilised by other users to conduct similar exploits.
They said, “modules like these can enable persistence and sophisticated ransomware attacks. Threat actors might move laterally, infecting the network, to maintain persistence and steal credentials.”
“Since password reuse is a common practice, actors could [also] leverage exposed credentials to access other accounts of the user.”
The TA also claimed responsibility for hacking Jozef Safarik University in Slovakia and Stanford University in the U.S.
Reports from XVigil stated that government access to the domains was discovered from multiple countries, including Ukraine and Pakistan.
Based on underground discussions, CloudSEK researchers said that they expect this malicious campaign to increase bot infection attempts.