Jenkins, a popular open-source automation server, revealed on Saturday that its discontinued Confluence service got attacked using the Confluence CVE-2021-26084 vulnerability, about which US Cybercom issued a warning last week.
Mark Waite, documentation officer at Jenkins, said in a statement that the affected server is now offline, and the team is examining the impact.
He further stated that, at this time, there is no reason to think that any Jenkins releases, plugins, or source code are compromised. So far, they’ve discovered that the use of Confluence CVE-2021-26084 vulnerability was for installing what seems to be a Monero miner in the container executing the service.
An attacker would be unable to gain access to most of other infrastructure from there, according to Waite
Waite further said that while there is no evidence that any developer credentials were stolen during this attack, they “cannot assert otherwise and are thus assuming the worst.”
Focus is on Building Trust
Jenkins team has announced that it would stop any new releases until it re-establishes trust with its developer community. The Jenkins infrastructure team has permanently stopped the Confluence service and has reset all account passwords. In addition, the team has rotated privileged credentials and taken steps to limit the extent of access to its infrastructure.
Waite further clarified that they are collaborating with their friends at the Linux Foundation and the Continuous Delivery Foundation to make sure that infrastructure not directly controlled by Jenkins also gets examined.
Confluence server was made read-only in October 2019, thus deprecated for day-to-day project use. During that time, transferring documentation and changelogs from the wiki to GitHub repositories happened. Hundreds of plugins and other documentation pages have been transferred from the wiki to GitHub repositories as part of this migration.
Atlassian Confirmed The Attacks on August 25
Multiple IT executives rushed to social media to certify that CVE-2021-26084 was being exploited, prompting the warning.
Atlassian revised their notice published on August 25 to indicate that the flaw is being actively leveraged in the open. An essential addition to the previous notice was about fixing the affected servers as soon as possible.
Image: Jenkins project