A recent cyber threat has emerged involving attackers hijacking web servers to deploy malware known as z0Miner. This malware, primarily aimed at cryptocurrency mining, utilises the compromised server’s resources to generate cryptocurrency for the attackers, potentially impacting website performance and incurring unexpected costs.
Understanding z0Miner and the Attack Method:
z0Miner is a cryptojacking malware that discreetly utilises a server’s processing power to mine cryptocurrency, typically Monero. This process can significantly slow down website performance, negatively impacting user experience and potentially leading to revenue loss.
The attackers behind this campaign target vulnerable web servers, particularly those running WebLogic servers by Oracle. They exploit known vulnerabilities (CVE-2020-14882 and CVE-2020-14883) to gain unauthorised access and deploy the z0Miner malware. Once compromised, the attackers can also deploy tools like web shells and network traffic redirection tools to maintain persistence and further exploit the server.
Signs of a Compromised Server:
Several signs can indicate that your web server might be infected with z0Miner:
- Slow website loading times: A noticeable decrease in website performance and loading speed can indicate cryptojacking activity.
- Increased CPU usage: Unusually high CPU utilisation, even during low traffic periods, could indicate that your server’s resources are being used for unauthorised mining.
- Unknown processes: Identifying unfamiliar processes on your server unrelated to your website’s functionality can be a red flag.
Protecting Your Website from z0Miner and Similar Threats:
Here are some crucial steps you can take to protect your website from z0Miner and similar threats:
- Patch your web server software regularly: Keeping your web server software, including any plugins or extensions, updated with the latest security patches is essential to address known vulnerabilities and minimise the attack surface.
- Enforce strong passwords: Implement solid and unique passwords for all server accounts and administrative access points. Avoid using easily guessable passwords or dictionary words.
- Enable two-factor authentication (2FA): Whenever possible, activate 2FA for all server access points to add an extra layer of security beyond passwords.
- Monitor your server activity: Regularly monitor your server’s resource usage, including CPU, memory, and network activity, to identify any unusual spikes that could indicate suspicious activity.
- Implement a web application firewall (WAF): Consider implementing a WAF to filter incoming traffic and block malicious requests that might attempt to exploit vulnerabilities.
- Choose a reliable web hosting provider: Opting for a reputable web hosting provider that prioritises security can provide additional layers of protection and expertise in mitigating such threats.
Staying Vigilant in the Evolving Threat Landscape:
The z0Miner campaign highlights the ever-evolving landscape of cyber threats. By understanding the risks, prioritising website security, and implementing robust security measures, website owners can significantly reduce the risk of falling victim to crypto-jacking and other malicious activities. Remember, vigilance and proactive security practices are crucial for safeguarding your online presence in today’s digital world.