Ransomware attack on Indian payment system traced back to Jenkins bug

Researchers have discovered that a damaging ransomware attack on a digital payment system used by many of India’s banks began with a vulnerability in Jenkins — a widely used open-source automation system for software developers.

Juniper Networks published a study this week analyzing how the attackers abused CVE-2024-23897, a vulnerability in the Jenkins Command Line Interface, which helps developers interact with the system.  

On July 31 the National Payments Corporation of India (NPCI), an umbrella organization for all retail payment systems in India, said it was dealing with a disruption caused by a ransomware attack on a third-party tech provider.

The technology provider, C-Edge Technologies, caters to regional rural banks, and in an effort to contain the effects, NPCI isolated the company from accessing retail payment systems operated by NPCI. Customers of C-Edge were not able to access payment systems as restoration efforts began. 

Services were restored one day later but the RansomEXX ransomware gang eventually took credit for the attack last week — writing on its leak site that it stole 142 GB from a digital payment platform connected to C-Edge. 

Juniper Networks analyzed the report that NPCI submitted to the Indian Computer Emergency Response Team. The researchers said the attack illustrated the need for organizations to apply security patches as soon as possible and resolve server misconfigurations to ensure security flaws cannot be exploited.

Warnings issued months ago

Jenkins allows developers to build, test and deploy software, and the vulnerability allows attackers to access sensitive files or data. 

CVE-2024-23897 was discovered by SonarSource last November and the company helped Jenkins verify the fix for it that was released in January. 

Once a proof of concept exploit was published, researchers immediately began seeing attack attempts, noting that the bug allowed attackers to take over unpatched Jenkins servers. 

The vulnerability set off alarm bells in the cybersecurity community earlier this year because of how widely deployed Jenkins is. 

There are tens of thousands of public-facing Jenkins servers and Naveen Sunkavally, chief architect at Horizon3.ai, said Jenkins is a common target for attackers because they are typically used to store troves of sensitive information and credentials to other systems.

“An attacker with no prior privileges can only really exploit this if the Jenkins server has been misconfigured from its default settings, or an attacker compromises the account of a valid Jenkins user. Further exploitation leading to server takeover and credential dumping is possible but involves factors outside of an attacker's control,” Sunkavally said. 

He noted that there are four prior Jenkins-related vulnerabilities in Cybersecurity and Infrastructure Security Agency’s catalog of Known Exploited Vulnerabilities, and several have previously been used to install cryptominers or facilitate nation-state attacks. 

Several researchers, including Critical Start cyber threat intelligence research analyst Sarah Jones, warned in January that the vulnerability would allow hackers to pilfer troves of sensitive data or “potentially gaining complete control over an organization's infrastructure.” 

“Beyond these immediate threats, such incidents can inflict lasting damage on an organization's reputation, erode trust, impact financial stability, and even lead to legal repercussions,” she said.