Full Report
Optimeyes's Jenkins instance was publicly exposed, albeit with few viewable workspaces and locked down admin permissions. However, the build information for each past build contained a link to the corrosponding git repository, including the bitbucket credentials in the url. Th...
Analysis Summary
# Incident Report: Optimeyes Jenkins Public Exposure and Data Leak
## Executive Summary
Optimeyes experienced a significant data breach originating from the public exposure of their Jenkins instance. Although administrative access was restricted, historical build information exposed URLs containing explicit Bitbucket credentials. An attacker leveraged this information to access and exfiltrate sensitive data, including source code repositories, customer inventories, ML models, and private keys.
## Incident Details
- Discovery Date: Not explicitly stated, but inferred around or before May 9, 2023 (publication date).
- Incident Date: Not explicitly stated, but occurred when the Jenkins instance was publicly exposed and exploited.
- Affected Organization: Optimeyes
- Sector: Technology/Data (Inferred from ML models and network inventories)
- Geography: Not disclosed
## Timeline of Events
### Initial Access
- Date/Time: Unknown
- Vector: Software misconfiguration (Publicly exposed Jenkins instance).
- Details: The Jenkins instance was publicly accessible. While workspaces were limited and admin permissions locked, build history logs contained URLs linking to Git repositories that explicitly embedded Bitbucket credentials (username and password/token).
### Lateral Movement
- Details: The attacker used the extracted Bitbucket credentials from the Jenkins build logs to access Git repositories. This likely provided access to other credentials stored within configuration files and source code, expanding the scope of the compromise (S3 bucket contents, databases, SFTP keys).
### Data Exfiltration/Impact
- Details: Sensitive data was exfiltrated, including: numerous Git repositories, Git credentials from configuration files, S3 bucket contents (customer network inventories, vulnerability scans), proprietary Machine Learning models, database backups, and SFTP private keys. The data was subsequently leaked online.
### Detection & Response
- Details: Detection was likely external (e.g., notification of public leak or confirmation via reference URLs). Response actions are not detailed beyond the fact that the issue was investigated and reported publicly.
## Attack Methodology
- Initial Access: Software Misconfiguration (Jenkins Instance Exposure).
- Persistence: Not explicitly detailed, but access to S3 and internal configuration files suggests persistence was achieved through credential harvesting.
- Privilege Escalation: Not explicitly detailed, but access to Git repos containing configurations likely led to the discovery of further high-privilege credentials.
- Defense Evasion: Standard defense mechanisms did not prevent the leakage of credentials embedded in build logs.
- Credential Access: Credential extraction directly from Jenkins build history URLs (embedded Bitbucket credentials).
- Discovery: Analysis of Jenkins build artifacts allowed the attacker to find hardcoded secrets (Git Creds, S3/SFTP keys).
- Lateral Movement: Movement from the exposed Jenkins environment to source code management (Bitbucket) and cloud storage (AWS S3).
- Collection: Gathering of proprietary models, backups, keys, and inventory data.
- Exfiltration: Data publicized online ("leaked online").
- Impact: Data Exfiltration.
## Impact Assessment
- Financial: Unknown.
- Data Breach: High severity. Included proprietary ML models, database backups, customer network inventories, vulnerability scans, and critical access infrastructure (SFTP private keys).
- Operational: Potential disruption due to exposure of system configurations and loss of proprietary IP.
- Reputational: Significant due to public reporting of a major data leak.
## Indicators of Compromise
- Network Indicators: Exposure of the Jenkins URL to the public internet (Defanged Example: `http://jenkins[.]optimeyes[.]com`).
- File Indicators: Configuration files containing embedded credentials, private keys.
- Behavioral Indicators: Excessive data retrieval from S3 buckets associated with the compromised credentials.
## Response Actions
*Note: Detailed official response actions are not provided in the source material.*
- Containment (Inferred): Immediate isolation/remediation of the publicly exposed Jenkins instance. Revocation of all credentials found in build logs (Bitbucket secrets).
- Eradication (Inferred): Review and rotation of all credentials found within configuration files, S3, and backups.
- Recovery (Inferred): Restoration of services; securing all exposed sensitive files.
## Lessons Learned
- **Critical Secret Sprawl:** Secrets (credentials) were embedded directly into build artifacts/logs, which were subsequently exposed due to poor configuration management.
- **Insufficient Configuration Hardening:** A publicly accessible CI/CD environment, even with restricted UI access, is an unacceptable risk if it contains exposable sensitive data.
## Recommendations
- Implement Secrets Management tools (e.g., HashiCorp Vault, AWS Secrets Manager) to prevent hardcoding of credentials in configuration files or Jenkins jobs.
- All CI/CD logs, especially build instructions and artifact metadata, must be scrubbed of sensitive information before storage.
- Jenkins instances and similar build servers must be placed behind robust network controls (VPNs or corporate boundaries) unless explicitly required for external access.
- Regularly audit build jobs to check for the accidental inclusion of secrets or links pointing to sensitive infrastructure.