Bug hunter finds cryptocurrency-mining botnet on DOD network

Monero-mining botnet infects one of the DOD's Jenkins servers.

cryptocurrency mining

Image: Dmitry Moraine

A security researcher hunting for bug bounties discovered last month that a cryptocurrency-mining botnet had found a home and burrowed inside a web server operated by the US Department of Defense (DOD).

The issue was discovered and reported via the DOD's official bug bounty program by Indian security researcher Nitesh Surana.

Initially, the bug report was filed in relation to a misconfigured Jenkins automation server running on an Amazon Web Services (AWS) server associated with a DOD domain.

Surana discovered that anyone could access the Jenkins server without login credentials.

Full access was apparently possible, including to the filesystem. Surana says the /script folder, part of the Jenkins installation, was also open to anyone.

This folder is where users upload files which the Jenkins server reads and executes automatically at regular intervals.

Surana informed the DOD that an attacker could upload malicious files inside this folder and install a permanent backdoor or take over the entire server.

Server already hacked before researcher's report

The DOD secured the vulnerable server, but when revisiting his findings, Surana also realized that the Jenkins server had already been compromised even before he found it.

The researcher said he tracked down the clues he found to a malware operation specialized in hacking cloud servers and installing Monero-mining malware.

ZDNet searched for the Monero wallet address that this botnet was using to collect funds. Google results show tens of mentions of this address going back as far as August 2018.

Most mentions are from Chinese users, who reported finding a Monero miner on their cloud servers [1, 2, 3, 4, 5, 6].

Using the XMRHunter service, we found that the Monero address currently holds 35.4 Monero coins, worth just over $2.700. However, past funds could have been withdrawn to other accounts at regular intervals, so we can't accurately estimate this botnet's operation just on this address.

DOD runs a bug bounty program on HackerOne

Surana reported his findings through the DOD's official bug bounty program, hosted on the HackerOne platform.

The DOD has been running a bug bounty program for years.

The most recent DOD bug-hunting drive ended last month, during which the department paid $275,000 to security researchers for their work in finding bugs in US Army-related web servers.

Due to the sensitive nature of the DOD infrastructure, Surana's report was redacted to remove the name and URL of the DOD server that was compromised by the coin-mining botnet. The researcher told ZDNet he was not awarded a bounty for his report, but this was one of the rare cases where a researcher's findings were made public.