Sunday night at 22:53 UTC our build server was compromised. An attacker used the CVE-2017-1000353 vulnerability in Jenkins to run a monero (crypto coin) miner.
With the help of the security team at Chainalysis, we have been able to determine, with high confidence, that no information was leaked as a consequence of the server being compromised.
To repeat: we have been able to determine that it is highly unlikely that any information has been leaked. This is the case for both information relating to our SaaS customers and our on-premise customers. Likewise, none of the releases available to customers have been affected. The vulnerability was, as far as we have been able to determine, only exploited to run the said mining program to the effect that our build server became so slow that we were unable to do a build.
While doing this security investigation however, we have found some things we would like to improve, and thus we’re now in the process of rebuilding our infrastructure from scratch. As a result, some SaaS customers can expect observe short service outages on the order of ~5minutes over the next few days as our we update DNS to a rebuilt production environment.
In the process we have also found the attacker’s command-and-control server, which also lists the ~2700 other hosts that have been attacked in a similar way. We are working on the best way to provide information to those unfortunate fellows.