A security researcher hunting for bug bounties discovered last month that a cryptocurrency-mining botnet had found a home and burrowed inside a web server operated by the US Department of Defense (DOD).
The issue was discovered and reported[1] via the DOD's official bug bounty program by Indian security researcher Nitesh Surana[2].
Initially, the bug report was filed in relation to a misconfigured Jenkins automation server[3] running on an Amazon Web Services (AWS) server associated with a DOD domain.
Surana discovered that anyone could access the Jenkins server without login credentials.
Full access was apparently possible, including to the filesystem. Surana says the /script folder, part of the Jenkins installation, was also open to anyone.
This folder is where users upload files which the Jenkins server reads and executes automatically at regular intervals.
Surana informed the DOD that an attacker could upload malicious files inside this folder and install a permanent backdoor or take over the entire server.
Server already hacked before researcher's report
The DOD secured the vulnerable server, but when revisiting his findings, Surana also realized that the Jenkins server had already been compromised even before he found it.
The researcher said he tracked down the clues he found to a malware operation specialized in hacking cloud servers and installing Monero-mining malware.
ZDNet searched for the Monero wallet address that this botnet was using to collect funds. Google results[4] show tens of mentions of this address going back as far as August 2018.
Most mentions are from Chinese users, who reported finding a Monero miner on their cloud servers [1, 2, 3, 4, 5, 6].
Using the XMRHunter service, we