Jenkins project discloses security breach following Confluence server hack
The developers of the Jenkins server, one of the most widely used open-source automation systems, said they suffered a security breach after hackers gained access to one of their internal servers and deployed a cryptocurrency miner.
Despite the intrusion and malware deployment, the Jenkins team downplayed the severity of the breach in a statement published on Saturday.
Jenkins admins said the hacked server, which hosted the now-defunct Jenkins wiki portal (wiki.jenkins.io), had already been deprecated since October 2019 when the project moved its wiki and team collaboration systems from a self-hosted Atlassian Confluence server to the GitHub platform.
"At this time we have no reason to believe that any Jenkins releases, plugins, or source code have been affected," the Jenkins team said over the weekend.
Following the discovery of the hack, Jenkins developers said they permanently took down the hacked Confluence server, rotated privileged credentials, and reset passwords for developer accounts.
Breach part of the larger Confluence attack wave
The Jenkins breach is part of a recent wave of attacks exploiting CVE-2021-26084 (also nicknamed Confluenza), an authentication bypass and command injection bug in Atlassian's Confluence server.
As The Record first reported last Wednesday, attacks against Confluence servers began last week and ramped up after security researchers published a proof-of-concept exploit on GitHub.
Attacks exploded throughout the week, prompting US Cyber Command to issue a public warning on Friday, urging administrators to patch affected systems before they left for the US Labor Day extended weekend.
Mass exploitation of Atlassian Confluence CVE-2021-26084 is ongoing and expected to accelerate. Please patch immediately if you haven’t already— this cannot wait until after the weekend.— USCYBERCOM Cybersecurity Alert (@CNMF_CyberAlert) September 3, 2021
The attacks, which most deployed cryptocurrency miners, according to security firms Bad Packets and Rapid7, are still ongoing.
According to internet monitoring project Censys, there are currently around 15,000 Atlassian Confluence servers that can be reached over the internet.
According to Censys, on Sunday, September 5, there were 8,597 Confluence servers connected online and still vulnerable to CVE-2021-26084.
Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.