Z0Miner malware spreading through unpatched Elasticsearch and Jenkins servers

Botnet moves on from exploiting WebLogic servers

Monero cryptocurrency

A malicious mining botnet discovered last year has moved on to target unpatched Jenkins and Elasticsearch servers to mine for Monero (XMR) cryptocurrency.

According to security researchers at Qihoo 360's Network Security Research Lab (360 Netlab), the Tencent Security Team discovered z0Miner last year exploiting the WebLogic unauthorized remote command execution vulnerability for propagation. Researchers said various mining malware families have become more active amid the surge in cryptocurrency values.

Z0Miner struck last year when Tencent Security tracked the malware exploiting two WebLogic pre-auth RCE bugs tracked as CVE-2020-14882 and CVE-2020-14883. At the time, the team of security analysts estimated the miner compromised around 5,000 servers by sending "carefully constructed data packets" to the vulnerable systems. The malware also moved laterally via SSH. 

Before that, Oracle had already issued a security bulletin warning of vulnerabilities in WebLogic components. At the time, research from cyber security company Rapid7 said the flaw was “trivial to exploit.”

Researchers said the malware has since changed to look for and infect systems by exploiting remote command execution vulnerabilities in Elasticsearch and Jenkins.

The malware uses exploits targeting an Elasticsearch RCE vulnerability — tracked as CVE-2015-1427 — and an older RCE impacting Jenkins server to compromise a server. It then downloads a malicious shell script to stop any competitive miners. Next, it sets up a cron job to periodically download and execute malicious scripts on Pastebin. Researchers said these scripts currently only have one exit command but couldn’t rule out the possibility that more malicious commands could be added in the future.

It then downloads and executes its mining software from three URLs containing a mining config file, an XMRig miner, and a miner starter shell script. According to researchers, it’s mined over 22 XMRs valued at $4,600 so far, but cyber criminals often use many wallets, so the overall figure could be much higher.

Researchers recommended Elasticsearch and Jenkins users check their installations and update them to patch these exploits as soon as possible. They also recommended that organizations check Elasticsearch and Jenkins for abnormal processes and network connections and monitor and block relevant IP and URLs.

Featured Resources

The ultimate law enforcement agency guide to going mobile

Best practices for implementing a mobile device program

Free download

The business value of Red Hat OpenShift

Platform cost savings, ROI, and the challenges and opportunities of Red Hat OpenShift

Free download

Managing security and risk across the IT supply chain: A practical approach

Best practices for IT supply chain security

Free download

Digital remote monitoring and dispatch services’ impact on edge computing and data centres

Seven trends redefining remote monitoring and field service dispatch service requirements

Free download

Recommended

Microsoft touts new cyber security help for nonprofits
cyber security

Microsoft touts new cyber security help for nonprofits

22 Oct 2021
Ofcom report reveals alarming uptick in smishing attacks
scams

Ofcom report reveals alarming uptick in smishing attacks

22 Oct 2021
Graylog launches new cyber security solution to address legacy issues
cyber security

Graylog launches new cyber security solution to address legacy issues

21 Oct 2021
US to ban surveillance software exports to authoritarian governments
cyber security

US to ban surveillance software exports to authoritarian governments

21 Oct 2021

Most Popular

Alibaba unveils custom Arm-based server chip
components

Alibaba unveils custom Arm-based server chip

19 Oct 2021
Windows 11 has problems with Oracle VirtualBox
Microsoft Windows

Windows 11 has problems with Oracle VirtualBox

5 Oct 2021
What is cyber warfare?
Security

What is cyber warfare?

15 Oct 2021