Z0Miner malware spreading through unpatched Elasticsearch and Jenkins servers
Botnet moves on from exploiting WebLogic servers
A malicious mining botnet discovered last year has moved on to target unpatched Jenkins and Elasticsearch servers to mine for Monero (XMR) cryptocurrency.
According to security researchers at Qihoo 360's Network Security Research Lab (360 Netlab), the Tencent Security Team discovered z0Miner last year exploiting the WebLogic unauthorized remote command execution vulnerability for propagation. Researchers said various mining malware families have become more active amid the surge in cryptocurrency values.
Z0Miner struck last year when Tencent Security tracked the malware exploiting two WebLogic pre-auth RCE bugs tracked as CVE-2020-14882 and CVE-2020-14883. At the time, the team of security analysts estimated the miner compromised around 5,000 servers by sending "carefully constructed data packets" to the vulnerable systems. The malware also moved laterally via SSH.
Before that, Oracle had already issued a security bulletin warning of vulnerabilities in WebLogic components. At the time, research from cyber security company Rapid7 said the flaw was “trivial to exploit.”
Researchers said the malware has since changed to look for and infect systems by exploiting remote command execution vulnerabilities in Elasticsearch and Jenkins.
The malware uses exploits targeting an Elasticsearch RCE vulnerability — tracked as CVE-2015-1427 — and an older RCE impacting Jenkins server to compromise a server. It then downloads a malicious shell script to stop any competitive miners. Next, it sets up a cron job to periodically download and execute malicious scripts on Pastebin. Researchers said these scripts currently only have one exit command but couldn’t rule out the possibility that more malicious commands could be added in the future.
It then downloads and executes its mining software from three URLs containing a mining config file, an XMRig miner, and a miner starter shell script. According to researchers, it’s mined over 22 XMRs valued at $4,600 so far, but cyber criminals often use many wallets, so the overall figure could be much higher.
Sign up today and you will receive a free copy of our Future Focus 2026 report - the leading resource for IT decision-maker insight on priorities and investment areas in AI, security and more.
Researchers recommended Elasticsearch and Jenkins users check their installations and update them to patch these exploits as soon as possible. They also recommended that organizations check Elasticsearch and Jenkins for abnormal processes and network connections and monitor and block relevant IP and URLs.
Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.
-
ITPro is 20!We take a look back on the past two decades since ITPro launched...
-
Cyber experts issue alert after two ransomware groups team up on ‘unprecedented’ threat campaignNews The tie-up includes a new model of industrialized ransomware deployment that significantly lowers the barrier to entry for cyber crime