Ransomware attack on Indian payment system traced back to Jenkins bug

Avatar

Researchers have discovered that a damaging ransomware attack on a digital payment system used by many of India’s banks began with a vulnerability in Jenkins — a widely used open-source automation system for software developers.

Juniper Networks published a study this week analyzing how the attackers abused CVE-2024-23897, a vulnerability in the Jenkins Command Line Interface, which helps developers interact with the system.  

On July 31 the National Payments Corporation of India (NPCI), an umbrella organization for all retail payment systems in India, said it was dealing with a disruption caused by a ransomware attack on a third-party tech provider.

The technology provider, C-Edge Technologies, caters to regional rural banks, and in an effort to contain the effects, NPCI isolated the company from accessing retail payment systems operated by NPCI. Customers of C-Edge were not able to access payment systems as restoration efforts began. 

Services were restored one day later but the RansomEXX ransomware gang eventually took credit for the attack last week — writing on its leak site that it stole 142 GB from a digital payment platform connected to C-Edge. 

Juniper Networks analyzed the report that NPCI submitted to the Indian Computer Emergency Response Team. The researchers said the attack illustrated the need for organizations to apply security patches as soon as possible and resolve server misconfigurations to ensure security flaws cannot be exploited.

Jenkins allows developers to build, test and deploy software, and the vulnerability allows attackers to access sensitive files or data. 

CVE-2024-23897 was discovered by SonarSource last November and the company helped Jenkins verify the fix for it that was released in January

Once a proof of concept exploit was published, researchers immediately began seeing attack attempts, noting that the bug allowed attackers to take over unpatched Jenkins servers. 

The vulnerability set off alarm bells in the cybersecurity community earlier this year because of how widely deployed Jenkins is. 

There are tens of thousands of public-facing Jenkins servers and Naveen Sunkavally, chief architect at Horizon3.ai, said Jenkins is a common target for attackers because they are typically used to store troves of sensitive information and credentials to other systems.

“An attacker with no prior privileges can only really exploit this if the Jenkins server has been misconfigured from its default settings, or an attacker compromises the account of a valid Jenkins user. Further exploitation leading to server takeover and credential dumping is possible but involves factors outside of an attacker’s control,” Sunkavally said. 

He noted that there are four prior Jenkins-related vulnerabilities in Cybersecurity and Infrastructure Security Agency’s catalog of Known Exploited Vulnerabilities, and several have previously been used to install cryptominers or facilitate nation-state attacks. 

Several researchers, including Critical Start cyber threat intelligence research analyst Sarah Jones, warned in January that the vulnerability would allow hackers to pilfer troves of sensitive data or “potentially gaining complete control over an organization’s infrastructure.” 

“Beyond these immediate threats, such incidents can inflict lasting damage on an organization’s reputation, erode trust, impact financial stability, and even lead to legal repercussions,” she said. 

CybercrimeTechnologyNews
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.

 

Total
0
Shares
Previous Post

New infostealer targets macOS devices, appears to have Russian links

Next Post

Crypto firm says hacker locked all employees out of Google products for four days

Related Posts

Russian RomCom Attacks Target Ukrainian Government with New SingleCamper RAT Variant

The Russian threat actor known as RomCom has been linked to a new wave of cyber attacks aimed at Ukrainian government agencies and unknown Polish entities since at least late 2023. The intrusions are characterized by the use of a variant of the RomCom RAT dubbed SingleCamper (aka SnipBot or RomCom 5.0), said Cisco Talos, which is monitoring the activity cluster under the moniker UAT-5647. "This
Avatar
Read More