Z0Miner malware spreading through unpatched Elasticsearch and Jenkins servers

Botnet moves on from exploiting WebLogic servers

Monero cryptocurrency

A malicious mining botnet discovered last year has moved on to target unpatched Jenkins and Elasticsearch servers to mine for Monero (XMR) cryptocurrency.

According to security researchers at Qihoo 360's Network Security Research Lab (360 Netlab), the Tencent Security Team discovered z0Miner last year exploiting the WebLogic unauthorized remote command execution vulnerability for propagation. Researchers said various mining malware families have become more active amid the surge in cryptocurrency values.

Z0Miner struck last year when Tencent Security tracked the malware exploiting two WebLogic pre-auth RCE bugs tracked as CVE-2020-14882 and CVE-2020-14883. At the time, the team of security analysts estimated the miner compromised around 5,000 servers by sending "carefully constructed data packets" to the vulnerable systems. The malware also moved laterally via SSH. 

Before that, Oracle had already issued a security bulletin warning of vulnerabilities in WebLogic components. At the time, research from cyber security company Rapid7 said the flaw was “trivial to exploit.”

Researchers said the malware has since changed to look for and infect systems by exploiting remote command execution vulnerabilities in Elasticsearch and Jenkins.

The malware uses exploits targeting an Elasticsearch RCE vulnerability — tracked as CVE-2015-1427 — and an older RCE impacting Jenkins server to compromise a server. It then downloads a malicious shell script to stop any competitive miners. Next, it sets up a cron job to periodically download and execute malicious scripts on Pastebin. Researchers said these scripts currently only have one exit command but couldn’t rule out the possibility that more malicious commands could be added in the future.

It then downloads and executes its mining software from three URLs containing a mining config file, an XMRig miner, and a miner starter shell script. According to researchers, it’s mined over 22 XMRs valued at $4,600 so far, but cyber criminals often use many wallets, so the overall figure could be much higher.

Researchers recommended Elasticsearch and Jenkins users check their installations and update them to patch these exploits as soon as possible. They also recommended that organizations check Elasticsearch and Jenkins for abnormal processes and network connections and monitor and block relevant IP and URLs.

Featured Resources

B2B under quarantine

Key B2C e-commerce features B2B need to adopt to survive

Download now

The top three IT pains of the new reality and how to solve them

Driving more resiliency with unified operations and service management

Download now

The five essentials from your endpoint security partner

Empower your MSP business to operate efficiently

Download now

How fashion retailers are redesigning their digital future

Fashion retail guide

Download now

Recommended

Study finds companies are mishandling cyber security recruitment
cyber security

Study finds companies are mishandling cyber security recruitment

28 Jul 2021
Dark web ads offering access to corporate networks increase sevenfold
hacking

Dark web ads offering access to corporate networks increase sevenfold

28 Jul 2021
Number of hacking tools increasing as cyber criminals become more organized
hacking

Number of hacking tools increasing as cyber criminals become more organized

28 Jul 2021
What is the Computer Misuse Act?
Policy & legislation

What is the Computer Misuse Act?

28 Jul 2021

Most Popular

The benefits of workload optimisation
Sponsored

The benefits of workload optimisation

16 Jul 2021
Samsung Galaxy S21 5G review: A rose-tinted experience
Mobile Phones

Samsung Galaxy S21 5G review: A rose-tinted experience

14 Jul 2021
IT Pro Panel: Why IT leaders need soft skills
professional development

IT Pro Panel: Why IT leaders need soft skills

26 Jul 2021