Threat Actor Services
CloudSEK’s contextual AI digital risk platform XVigil identified a post on an English-speaking cybercrime forum mentioning Jenkins as one of the TTPs used by a threat actor. This module has hidden desktop takeover capabilities to get clicks on ads. Based on underground discussions, CloudSEK researchers expect this malicious campaign to ramp up bot infection attempts.
- On 07 May 2022, a threat actor published a post on a cybercrime forum describing the story of breaching a big company by exploiting a vulnerability in the Jenkins dashboard.
- It is interesting to note that the same threat actor was previously seen offering access to IBM.
- The actor has also proved a sample screenshot as a proof of their claimed access to a Jenkins dashboard.
- The threat actor encountered a Jenkins dashboard bypass which contained internal hosts and scripts along with database credentials and logins.
- The actor used search engines like Shodan to target port 9443 of the compromised company’s public asset.
- After getting the results, the actor used a private script for fuzzing to get vulnerable instances to exploit rproxy misconfiguration bypass.
- In their subsequent posts, the actor also mentioned the following exploit story about gaining access to the Stanford University:
- The actor used the Sudomy tool to enumerate all the subdomains related to the University.
- The actor then used httpx to provided the domains with a path such as -path /wp-content/plugins/.
- A vulnerable zero-day exploit on the above plugin returns data from all the subdomains that have a valid path with the zero-day, which then allows an attacker to execute RCE on it.
- The actor has been actively posting about different exploits and accesses on the cybercrime forum. Few of the entities targeted by them include:
- Network access to IBM Tech Company, including internal administrators scripts and firewall configurations for internal network. It contained the following information:
- Active Directory Users’ data
- SMTP login credentials
- RDP internal login credentials
- Access to two databases
- AWS RDS-based database
- 1 Log4j dashboard access
- 1 RCE dashboard access
- 1 WordPress dashboard access.
- Jozef Safarik University, Slovakia.
- Government accesses of the domains are from multiple countries including:
- United Arab Emirates
- The actor is quite active on the cybercrime forum.
- The posts shared by the actor could be possibly true, but there is no proof of the exploits.
- The reliability of the actor can be rated Not usually reliable (D).
- The credibility of the advertisement can be rated Doubtful (4).
- Giving overall source credibility of D4.