{
  "name": "Turning Jenkins Into a Cryptomining Machine From an Attacker's Perspective",
  "slug": "turning-jenkins-into-a-cryptomining-machine-from-an-attackers-perspective",
  "description": "This report analyzes how threat actors can exploit misconfigured Jenkins servers to execute malicious Groovy scripts, leading to activities like deploying cryptocurrency miners. Misconfigurations exposing the /script endpoint allow remote code execution, enabling attackers to run scripts that download and execute miner binaries while maintaining persistence through cron jobs and systemd utilities.",
  "published": "2024-07-05T13:26:21+00:00",
  "created_at": "2024-07-05T13:26:21+00:00",
  "modified_at": "2024-07-05T14:21:14+00:00",
  "created_at_opencti": "2024-07-05T13:26:21+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2024-07-05",
    "cryptominer",
    "groovy language",
    "jenkins script console",
    "linux"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "berrystore.me"
      },
      {
        "id": "",
        "name": "57fedfb431a717031f454d4fb2809d1f6d432a9edd900b07f0b9f9aca7fb3597"
      },
      {
        "id": "",
        "name": "119cdc48db534c6093a24e78120c433480c5fb3f4a1a79270a78d9bf049fbe1c"
      },
      {
        "id": "",
        "name": "07ca2a2e0d6ccfcef2cb010fe80a831c963755cc6179aaa95fe6e04d7d076c89"
      }
    ],
    "attack_patterns": [
      {
        "id": "e0204523-8122-4143-a774-7a3a1a81dc38",
        "name": "T1053.003"
      },
      {
        "id": "f5f8c703-b2c6-4758-b36c-33255f758d55",
        "name": "T1053.006"
      },
      {
        "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f",
        "name": "T1071.001"
      },
      {
        "id": "392fef6c-4d5d-4280-bad6-b78751569e7f",
        "name": "T1222.002"
      },
      {
        "id": "c473a756-355a-42ad-a0df-cd3a8fa006d1",
        "name": "T1057"
      },
      {
        "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571",
        "name": "T1105"
      },
      {
        "id": "6d618903-d9f6-4747-aec2-7630f43c1908",
        "name": "T1496"
      },
      {
        "id": "45082a8e-9c79-470e-ad1b-decac7188e8f",
        "name": "T1083"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      },
      {
        "id": "6c8f8a40-2746-4a37-86bd-81e82afa6e62",
        "name": "T1190"
      }
    ]
  },
  "external_refs": [
    "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/g/turning-jenkins-into-a-cryptomining-machine-from-an-attackers-perspective/ioc-turning-jenkins-into-a-cryptomining-machine-from-an-attacker-perspective.txt",
    "https://www.trendmicro.com/en_us/research/24/g/turning-jenkins-into-a-cryptomining-machine-from-an-attackers-pe.html",
    "https://otx.alienvault.com/pulse/6688109d6e2eec4cc151dc96"
  ]
}