A malicious mining botnet discovered last year has moved on to target unpatched Jenkins and Elasticsearch servers to mine for Monero (XMR) cryptocurrency.
According to security researchers at Qihoo 360's Network Security Research Lab (360 Netlab), the Tencent Security Team discovered z0Miner last year exploiting the WebLogic unauthorized remote command execution vulnerability for propagation. Researchers said various mining malware families have become more active amid the surge in cryptocurrency values.
Z0Miner struck last year when Tencent Security tracked the malware exploiting two WebLogic pre-auth RCE bugs tracked as CVE-2020-14882 and CVE-2020-14883. At the time, the team of security analysts estimated the miner compromised around 5,000 servers by sending "carefully constructed data packets" to the vulnerable systems. The malware also moved laterally via SSH.
Before that, Oracle had already issued a security bulletin warning of vulnerabilities in WebLogic components. At the time, research from cyber security company Rapid7 said the flaw was “trivial to exploit.”
Researchers said the malware has since changed to look for and infect systems by exploiting remote command execution vulnerabilities in Elasticsearch and Jenkins.
The malware uses exploits targeting an Elasticsearch RCE vulnerability — tracked as CVE-2015-1427 — and an older RCE impacting Jenkins server to compromise a server. It then downloads a malicious shell script to stop any competitive miners. Next, it sets up a cron job to periodically download and execute malicious scripts on Pastebin. Researchers said these scripts currently only have one exit command but couldn’t rule out the possibility that more malicious commands could be added in the future.
It then downloads and executes its mining software from three URLs containing a mining config file, an XMRig miner, and a miner starter shell script. According to researchers, it’s mined over 22 XMRs valued at $4,600 so far, but cyber criminals often use many wallets, so the overall figure could be much higher.
Researchers recommended Elasticsearch and Jenkins users check their installations and update them to patch these exploits as soon as possible. They also recommended that organizations check Elasticsearch and Jenkins for abnormal processes and network connections and monitor and block relevant IP and URLs.
