Supply Chain Attack: Detecting and Removing the Compromised Checkmarx Jenkins AST Plugin

A sophisticated supply chain attack has targeted the Jenkins ecosystem, specifically impacting the Checkmarx AST (Application Security Testing) plugin. A malicious version of the plugin, identified as version 2024.6.1, was published to the official Jenkins Marketplace late last week. This artifact contains a backdoor capable of remote code execution (RCE), effectively giving attackers control over the Jenkins controller and, by extension, the underlying CI/CD infrastructure.

For defenders, this is a critical event. Compromise of a Jenkins controller often leads to credential theft (repository keys, cloud secrets), supply chain poisoning of downstream artifacts, and lateral movement into production environments. Immediate identification and removal of this malicious component are mandatory.

Technical Analysis

Affected Product: Jenkins CI/CD Server.
Affected Component: Checkmarx AST Plugin.
Plugin ID: com.checkmarx.jenkins.ast.
Malicious Version: 2024.6.1 (published approx. late last week).
Attack Vector: Compromised publisher credentials leading to the upload of a tainted .hpi (Java plugin) file to the Jenkins Update Center.
Mechanism: The malicious plugin initializes a persistent backdoor within the JVM runtime. It establishes a reverse shell or allows arbitrary command execution via a specifically crafted HTTP request to the Jenkins endpoint, bypassing standard security controls.
Exploitation Status: Active. The malicious artifact is currently available for download (or was until recently pulled) and may be auto-installed by environments configured for automatic plugin updates.

Detection & Response

SIGMA Rules

Detecting a compromised Jenkins instance requires focusing on the parent-child relationship of the Jenkins process (java.exe) and suspicious child processes that a CI/CD tool should rarely spawn directly, as well as network connections indicative of C2 beacons.

YAML

---
title: Jenkins Controller Spawning Suspicious Shell
id: 9c2f3b45-1d8e-4a3b-9e5f-6a7b8c9d0e1f
status: experimental
description: Detects the Jenkins Java process spawning cmd.exe, powershell.exe, or bash, which is highly indicative of plugin-based backdoor exploitation.
references:
  - https://www.jenkins.io/security/advisories/
author: Security Arsenal
date: 2024/07/08
tags:
  - attack.execution
  - attack.t1059
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith: '\java.exe'
    ParentCommandLine|contains: 'jenkins.war'
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\pwsh.exe'
  filter_legit_build:
    # Filter out legitimate build steps if known paths exist, but alert on all others
    CommandLine|contains: 'org.jenkinsci.plugins'
  condition: selection and not filter_legit_build
falsepositives:
  - Legitimate build pipelines explicitly invoking shells (rare for controllers)
level: high
---
title: Suspicious Outbound Connection from Java Jenkins Process
id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
description: Detects the Jenkins process initiating network connections to non-standard ports or suspicious external endpoints, typical of backdoor C2 activity.
references:
  - https://attack.mitre.org/techniques/T1071/
author: Security Arsenal
date: 2024/07/08
tags:
  - attack.command_and_control
  - attack.t1071
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    InitiatingProcessImage|endswith: '\java.exe'
    InitiatingProcessCommandLine|contains: 'jenkins.war'
    DestinationPort:
      - 4444
      - 5555
      - 6666
      - 8080
      - 8443
  condition: selection
falsepositives:
  - Legitimate webhook notifications or build agent connections
level: medium

KQL (Microsoft Sentinel / Defender)

This query hunts for process creation events where the Jenkins master process spawns a shell, a common TTP for the Checkmarx plugin backdoor.

KQL — Microsoft Sentinel / Defender

DeviceProcessEvents
| where InitiatingProcessFileName =~ "java.exe"
| where InitiatingProcessCommandLine has "jenkins.war"
| where FileName in~ ("cmd.exe", "powershell.exe", "bash", "sh")
| where Timestamp > ago(3d)
| project Timestamp, DeviceName, InitiatingProcessCommandLine, FileName, CommandLine, AccountName
| extend CheckmarxPluginCheck = iff(InitiatingProcessCommandLine has "checkmarx", "Likely Related", "Suspicious Activity")

Velociraptor VQL

Use this VQL artifact to hunt for the presence of the malicious JAR file on disk within the Jenkins plugins directory and verify the version manifest.

VQL — Velociraptor

-- Hunt for the Checkmarx AST Plugin directory and check version
SELECT FullPath, Mtime, Size
FROM glob(globs='/var/lib/jenkins/plugins/checkmarx-ast/**/*')
WHERE FullPath =~ 'MANIFEST.MF'
-- In a real scenario, parse the file content to look for Plugin-Version: 2024.6.1

-- Alternative: Hunt for recent modifications to plugin directories
SELECT FullPath, Mtime, Size
FROM glob(globs='/var/lib/jenkins/plugins/*.jpi')
WHERE Mtime > now() - 7d AND Name =~ 'checkmarx'

Remediation Script (Bash)

Run this script on your Jenkins Linux controllers to identify and isolate the compromised plugin. Note: This requires stopping Jenkins to safely remove the plugin.

Bash / Shell

#!/bin/bash

echo "[+] Checking for Checkmarx AST Plugin version 2024.6.1..."

# Define Jenkins Home (default)
JENKINS_HOME="/var/lib/jenkins"

PLUGIN_DIR="$JENKINS_HOME/plugins/checkmarx-ast"

if [ -d "$PLUGIN_DIR" ]; then
    echo "[!] Plugin directory found: $PLUGIN_DIR"
    
    # Check the manifest for the version
    if [ -f "$PLUGIN_DIR/META-INF/MANIFEST.MF" ]; then
        VERSION=$(grep "Plugin-Version" "$PLUGIN_DIR/META-INF/MANIFEST.MF" | cut -d: -f2 | tr -d '[:space:]')
        echo "[+] Installed Version: $VERSION"
        
        if [ "$VERSION" = "2024.6.1" ]; then
            echo "[!!!] CRITICAL: Malicious version detected."
            echo "[+] Stopping Jenkins service..."
            systemctl stop jenkins
            
            echo "[+] Removing compromised plugin directory..."
            rm -rf "$PLUGIN_DIR"
            rm -f "$PLUGIN_DIR.jpi" "$PLUGIN_DIR.hpi"
            
            echo "[+] Plugin removed. Please download the verified safe version from the official marketplace only after vendor confirmation."
            echo "[+] Restart Jenkins manually when ready: systemctl start jenkins"
        else
            echo "[+] Version does not match the malicious release (2024.6.1). Monitor for IOCs."
        fi
    else
        echo "[-] Manifest not found. Cannot verify version automatically."
    fi
else
    echo "[+] Checkmarx AST Plugin not found. System may be clean or uses a different installation path."
fi

Remediation

Immediate Isolation: If the malicious version 2024.6.1 is found, isolate the Jenkins controller from the network immediately to prevent C2 communication or lateral movement.
Plugin Removal:
- Stop the Jenkins service.
- Navigate to $JENKINS_HOME/plugins/.
- Delete the checkmarx-ast directory and any associated .hpi or .jpi files.
- Do not simply disable the plugin via the UI; the files must be physically removed from disk.
Credential Rotation: Assume all secrets stored in Jenkins (credentials, API keys, cloud tokens) have been exfiltrated. Rotate all credentials immediately.
Rebuild: If possible, revert the Jenkins controller to a known-good state prior to the installation date of the malicious plugin.
Vendor Advisory: Monitor the official Jenkins Security Advisory and Checkmarx communications for the re-signed, safe version of the plugin before re-installation.
Audit: Review Jenkins logs for unauthorized user creation or strange job configurations dating back to the installation time of the plugin.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub