CloudSEK used its artificial intelligence (AI)-powered digital risk platform XVigil to identify a post on a cybercrime forum mentioning open source automation server platform Jenkins as one of the TTP (tactics, techniques, and procedures) used by a threat actor (TA) in attacks against IBM and Stanford University.
The module reportedly has hidden desktop takeover capabilities that would be used by the TA to get clicks on ads.
The post on the English-speaking forum was spotted by CloudSEK on May 07 2022 and contained a sample screenshot as proof of their claimed access to a Jenkins dashboard.
From a technical standpoint, the TA encountered a Jenkins dashboard bypass that contained internal hosts and scripts, together with database credentials and logins.
The hacker would have used search engines like Shodan to target port 9443 of the compromised company’s public asset and then used a private script for fuzzing to get vulnerable instances to exploit rproxy misconfiguration bypass.
According to additional posts by the same user on the cybercrime forum, the actor said they previously also targeted IBM Tech Company, particularly internal administrators’ scripts and firewall configurations for internal networks.
Describing the attacks, CloudSEK said that TTP used by the threat actor could be utilized by others to conduct similar exploits.
“Modules like these can enable persistence and sophisticated ransomware attacks. Threat actors might move laterally, infecting the network, to maintain persistence and steal credentials,” the security experts wrote.
“Since password reuse is a common practice, actors could [also] leverage exposed credentials to access other accounts of the user.”
For context, the TA also claimed responsibility for hacking Jozef Safarik University in Slovakia and Stanford University.
Reports from XVigil suggested government access to the domains was discovered from multiple countries, including Ukraine, United Arab Emirates, Pakistan and Nepal.
Based on underground discussions, CloudSEK researchers said they expect this malicious campaign to ramp up bot infection attempts.