Compromised Checkmarx Jenkins Plugin Spreads Infostealer

Overview of the Checkmarx Jenkins Plugin Compromise

A cybersecurity incident recently impacted users of the Checkmarx Application Security Testing (AST) plugin for Jenkins. Over a short period, a malicious version of the official Checkmarx AST plugin, identified as version 2023.2.7, was inadvertently published on the Jenkins Marketplace. This rogue package was found to contain an embedded infostealer, posing a significant risk to the security posture of affected Jenkins environments. The compromised plugin was available for download and installation between January 11 and January 13, 2024, according to BleepingComputer. This event highlights the persistent threat of Supply Chain Attack vectors, where attackers compromise trusted software distribution channels to disseminate malware.

Technical Details and Impact Assessment

The compromise of the Checkmarx AST plugin represents a classic software supply chain attack. Threat actors manipulated a legitimate software package, injecting an infostealer into version 2023.2.7 before its publication on a trusted public repository like the Jenkins Marketplace. This allowed the malicious code to bypass initial scrutiny, leading unsuspecting users to download and execute malware disguised as a legitimate update or new installation.

Once installed, the infostealer within the plugin was designed to collect sensitive information from the compromised Jenkins instance. While specific details of the malware’s capabilities were not exhaustively enumerated, such threats typically target: system information, configuration files, and crucially, authentication credentials such as API keys, tokens, and passwords stored within or accessible by the Jenkins environment. Jenkins servers are often central to an organization’s Continuous Integration/Continuous Delivery (CI/CD) pipelines, meaning they frequently hold highly privileged access to source code repositories, deployment targets, and other critical infrastructure. The exfiltration of these credentials could enable further unauthorized access, Lateral Movement within the network, and broader system compromise. The short window of exposure, from January 11 to 13, 2024, limits the overall impact, but any installation during this period must be considered compromised. Analysis of the attacker’s TTPs suggests an intent to gain persistent access and escalate privileges within targeted developer environments.

Actionable Recommendations for Securing Jenkins Environments Against Infostealers

Organizations utilizing Jenkins, particularly those who installed or updated the Checkmarx AST plugin during the specified timeframe, must take immediate and long-term actions to mitigate risks and bolster their security posture.

Immediate Remediation: How to detect Checkmarx Jenkins plugin compromise

For any organization that installed the Checkmarx AST plugin version 2023.2.7 between January 11 and January 13, 2024, the following steps are critically important:

• Verify Plugin Versions: Immediately review all installed Jenkins plugins to confirm that version 2023.2.7 of the Checkmarx AST plugin is not present. If it is, consider the system compromised.
• Uninstall Malicious Plugin: Promptly uninstall the compromised plugin. It’s recommended to install a known clean and verified version from Checkmarx’s official channels if the functionality is still required.
• Rotate Credentials: Assume that all credentials, including API keys, tokens, SSH keys, and passwords, that were configured within or accessible by the affected Jenkins instance during the compromise window, have been stolen. Initiate an immediate and comprehensive rotation of these credentials across all connected services and systems.
• System Scan and Forensics: Conduct a thorough scan of the compromised Jenkins server and underlying host system using updated antivirus and EDR solutions. Look for any suspicious files, processes, or network connections. Preserve logs for forensic analysis to understand the extent of the compromise, identifying any Indicators of Compromise (IoC) related to the infostealer’s C2 communication.

Long-Term Mitigation: Mitigating Software Supply Chain Attacks

Beyond immediate remediation, organizations should adopt practices to prevent similar incidents and enhance overall CI/CD security:

• Integrity Verification: Implement robust mechanisms for verifying the integrity and authenticity of all third-party plugins and dependencies before deployment. This includes digital signature validation and hash checks.
• Network Segmentation: Isolate Jenkins environments from other critical production systems through strong network segmentation. This limits the potential for lateral movement if a compromise occurs.
• Least Privilege: Enforce the principle of least privilege for Jenkins service accounts and build processes, ensuring they only have the minimum necessary permissions to perform their designated functions.
• Enhanced Monitoring: Deploy and configure SIEM solutions to actively monitor Jenkins logs, network traffic, and system behavior for anomalies, unauthorized access attempts, or unusual outbound connections.
• Zero Trust Architecture: Consider adopting a Zero Trust security model, where no entity, inside or outside the network perimeter, is trusted by default without strict verification.
• Regular Audits: Periodically audit Jenkins configurations, plugin lists, and access controls. Stay informed about security advisories related to Jenkins and its ecosystem.