Z0Miner malware spreading through unpatched Elasticsearch and Jenkins servers

Botnet moves on from exploiting WebLogic servers

Monero cryptocurrency

A malicious mining botnet discovered last year has moved on to target unpatched Jenkins and Elasticsearch servers to mine for Monero (XMR) cryptocurrency.

According to security researchers at Qihoo 360's Network Security Research Lab (360 Netlab), the Tencent Security Team discovered z0Miner last year exploiting the WebLogic unauthorized remote command execution vulnerability for propagation. Researchers said various mining malware families have become more active amid the surge in cryptocurrency values.

Z0Miner struck last year when Tencent Security tracked the malware exploiting two WebLogic pre-auth RCE bugs tracked as CVE-2020-14882 and CVE-2020-14883. At the time, the team of security analysts estimated the miner compromised around 5,000 servers by sending "carefully constructed data packets" to the vulnerable systems. The malware also moved laterally via SSH. 

Before that, Oracle had already issued a security bulletin warning of vulnerabilities in WebLogic components. At the time, research from cyber security company Rapid7 said the flaw was “trivial to exploit.”

Researchers said the malware has since changed to look for and infect systems by exploiting remote command execution vulnerabilities in Elasticsearch and Jenkins.

The malware uses exploits targeting an Elasticsearch RCE vulnerability — tracked as CVE-2015-1427 — and an older RCE impacting Jenkins server to compromise a server. It then downloads a malicious shell script to stop any competitive miners. Next, it sets up a cron job to periodically download and execute malicious scripts on Pastebin. Researchers said these scripts currently only have one exit command but couldn’t rule out the possibility that more malicious commands could be added in the future.

It then downloads and executes its mining software from three URLs containing a mining config file, an XMRig miner, and a miner starter shell script. According to researchers, it’s mined over 22 XMRs valued at $4,600 so far, but cyber criminals often use many wallets, so the overall figure could be much higher.

Researchers recommended Elasticsearch and Jenkins users check their installations and update them to patch these exploits as soon as possible. They also recommended that organizations check Elasticsearch and Jenkins for abnormal processes and network connections and monitor and block relevant IP and URLs.

Featured Resources

Unlocking collaboration: Making software work better together

How to improve collaboration and agility with the right tech

Download now

Four steps to field service excellence

How to thrive in the experience economy

Download now

Six things a developer should know about Postgres

Why enterprises are choosing PostgreSQL

Download now

The path to CX excellence for B2B services

The four stages to thrive in the experience economy

Download now

Recommended

Russia launched over a million cyber attacks in three months
hacking

Russia launched over a million cyber attacks in three months

13 Apr 2021
New DNS vulnerabilities put millions of IoT devices at risk of hacking
Internet of Things (IoT)

New DNS vulnerabilities put millions of IoT devices at risk of hacking

13 Apr 2021
Cloud storage: How secure are Dropbox, OneDrive, Google Drive, and iCloud?
cloud security

Cloud storage: How secure are Dropbox, OneDrive, Google Drive, and iCloud?

13 Apr 2021
5G will accelerate cyber crime, predicts former White House CIO
5G

5G will accelerate cyber crime, predicts former White House CIO

13 Apr 2021

Most Popular

Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
Hackers are using fake messages to break into WhatsApp accounts
instant messaging (IM)

Hackers are using fake messages to break into WhatsApp accounts

8 Apr 2021
How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

8 Apr 2021