Security News > 2021 > March > z0Miner botnet hunts for unpatched ElasticSearch, Jenkins servers
A cryptomining botnet spotted last year is now targeting and attempting to take control of Jenkins and ElasticSearch servers to mine for Monero cryptocurrency.
Z0Miner is a cryptomining malware strain spotted in November by the Tencent Security Team, who saw it infecting thousands of servers by exploiting a Weblogic security vulnerability.
Now, the attackers have upgraded the malware to scan for and attempt to infect new devices by exploiting remote command execution vulnerabilities impacting ElasticSearch and Jenkins servers.
According to a report published by researchers at Qihoo 360's Network Security Research Lab, z0Miner is now probing for servers unpatched against vulnerabilities addressed in 2015 and earlier.
The botnet uses exploits targeting an ElasticSearch RCE vulnerability tracked as CVE-2015-1427 and an older RCE impacting Jenkins servers.
The attackers scanned cloud servers in batches to find unpatched Weblogic servers and compromised them by sending "Carefully constructed data packets" to exploit the vulnerable devices.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2015-02-17 | CVE-2015-1427 | Improper Access Control vulnerability in Elasticsearch The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the sandbox protection mechanism and execute arbitrary shell commands via a crafted script. | 7.5 |