Image: Dmitry Moraine

A security researcher hunting for bugbounties discovered last month that a cryptocurrency-mining botnet had found a home and had buried itself into a web server of the US Department of Defense (DOD).

The problem was discovered and reported through the DOD’s official bug bounty program by Indian security investigator Nitesh Surana.

Initially, the bug report was submitted regarding a misconfigured Jenkins automation server running on an Amazon Web Services (AWS) server associated with a DOD domain.

Surana discovered that anyone could access the Jenkins server without login details.

Full access was apparently possible, also to the file system. Surana says that the map / script, part of the Jenkins installation, was also accessible to everyone.

In this folder, users upload files that the Jenkins server automatically reads and executes at regular intervals.

Surana informed the DOD that an attacker could upload malicious files to this folder and install a permanent back door or take over the entire server.

Server already hacked before investigator’s report

The DOD secured the vulnerable server, but when reviewing his findings, Surana also realized that the Jenkins server had been compromised even before he found it.

The researcher said he found the clues he found for a malware operation that specializes in hacking cloud servers and installing Monero-mining malware.

ZDNet searched for the Monero portfolio address that this botnet used to collect funds. Google results show dozens of listings of this address that date back to August 2018.

Most of the entries are from Chinese users, who reported having found a Monero miner on their cloud servers (1, 2, 3, 4, 5, 6).

With the help of the XMRHunter service, we have determined that the Monero address currently contains 35.4 Monero coins, with a value of just over $ 2,700. However, previous funds may have been withdrawn to other accounts at regular intervals, so we cannot accurately estimate how this botnet works at this address.

DOD runs a bug bounty program on HackerOne

Surana reported his findings through the DOD’s official bug bounty program hosted on the HackerOne platform.

The DOD has had a bug bounty program for years.

The most recent DOD bug search ended last month, with the department paying $ 275,000 to security investigators for their work finding bugs in US Army-related web servers.

Due to the sensitive nature of the DOD infrastructure, the Surana report has been edited to remove the name and URL of the DOD server affected by the coin mine botnet. The investigator told ZDNet that he did not receive a premium for his report, but this was one of the rare cases in which an investigator’s findings were made public.

Happy Friday hackers! Nitesh @ ideaengine007 has found a critical RCE vulnerability in Jenkins that led us to discover a Bitcoin mining service running on a DoD website 😲. Go to the published report to view all the details! Thank you for being ites Niteshhttps: //t.co/YywrVZu2Uc

– DC3 VDP (@ DC3VDP) January 31, 2020