Cyber Incident Victim: Jenkins

On August 25, 2021, Atlassian disclosed CVE-2021-26084, a critical remote code execution vulnerability affecting its Confluence Server and Data Center products. The flaw allowed unauthenticated attackers to execute arbitrary code on vulnerable instances. Within approximately one week, proof-of-concept exploit code became publicly available, triggering widespread scanning and exploitation attempts by threat actors. The U.S. Cyber Command issued warnings about active mass exploitation of this vulnerability. Attackers primarily leveraged the exploit to deploy cryptocurrency mining software, with the open-source XMRig Monero miner being a common payload observed in these incidents.

During the week following the public release of exploit code, administrators of the Jenkins open-source automation server project discovered a compromise affecting one of their deprecated Confluence servers. Investigation revealed attackers had exploited CVE-2021-26084 to install what was believed to be a Monero miner within the container running the affected service. Jenkins officials stated the compromised Confluence instance was isolated from core infrastructure, limiting the attacker's access to other systems. The project immediately deactivated the breached server and rotated all privileged credentials as a precautionary measure. As an additional safeguard, Jenkins temporarily halted software releases to re-establish trust verification processes with its developer community. No evidence indicated compromise of Jenkins project releases, plugins, or source code repositories. The incident highlighted risks associated with maintaining deprecated services, even when segregated from primary infrastructure.