Jenkins, a leading open source automation server, announced on Saturday that its deprecated Confluence service was successfully attacked through the Confluence CVE-2021-26084 exploit — something that US Cybercom warned of in a notice last week.
In a statement, Jenkins documentation officer Mark Waite explained that the affected server was taken offline and the team is investigating the impact of the issue.
“At this time we have no reason to believe that any Jenkins releases, plugins, or source code have been affected. Thus far in our investigation, we have learned that the Confluence CVE-2021-26084 exploit was used to install what we believe was a Monero miner in the container running the service,” Waite wrote.
“From there an attacker would not be able to access much of our other infrastructure. Confluence did integrate with our integrated identity system which also powers Jira, Artifactory, and numerous other services.”
Waite added that there is no indication that any developer credentials were taken during the attack but that they “cannot assert otherwise and are therefore assuming the worst.”
Jenkins said that until it re-establishes a “chain of trust with our developer community,” it will be preventing releases. Every account password has been reset and the Jenkins infrastructure team has permanently disabled the Confluence service. The team has also rotated privileged credentials and taken measures to reduce the scope of access across their infrastructure.
“We are working closely with our colleagues at the Linux Foundation and the Continuous Delivery Foundation to ensure that infrastructure which is not directly managed by the Jenkins project is also scrutinized,” Waite noted.
“In October 2019 we made the Confluence server read-only effectively deprecating it for day-to-day use within the project. At that time, we began migrating documentation and changelogs from the wiki to GitHub repositories. That migration has been ongoing, with hundreds of plugins and many other documentation pages moved from the wiki to GitHub repositories.”
Atlassian updated its notice — released on August 25 — to confirm that the vulnerability is being actively exploited in the wild.
“Affected servers should be patched immediately. The vulnerability is exploitable by unauthenticated users regardless of configuration,” Atlassian added to their previous notice.
US Cybercom caused a stir when it tweeted on Friday, “Mass exploitation of Atlassian Confluence CVE-2021-26084 is ongoing and expected to accelerate. Please patch immediately if you haven’t already — this cannot wait until after the weekend.”
BleepingComputer confirmed on Thursday that some threat actors are installing cryptominers on both Windows and Linux Confluence servers using the vulnerability.
Shawn Smith, director of infrastructure at nVisium, told ZDNet that the Atlassian Confluence vulnerability is “definitely still being exploited.”
“If we look at the list of versions that are vulnerable, it includes nearly every version — all the way back to the 4.x.x line, which was originally released in 2011. Looking at the early details, we know that nearly 15,000 servers were present online before the vulnerability disclosure — and eight days later that number had dropped by less than 4,000,” Smith said.
“Now, we’re only an additional five days beyond that and it’s unlikely that a significant number of servers were patched, especially considering it was a holiday weekend in the United States.”
Cybersecurity company Censys updated their own blog post on Sunday to say that the number of vulnerable Confluence instances dropped from 11,689 to 8,597 since last Thursday.
Bad Packets reported that CVE-2021-26084 exploit activity was being detected from hosts based in Russia targeting their Atlassian Confluence honeypots.
They previously said they “detected mass scanning and exploited activity from hosts in Brazil, China, Hong Kong, Nepal, Romania, Russia and the US targeting Atlassian Confluence servers vulnerable to remote code execution.”