According to a report from researchers at cloud security firm Wiz, hackers are currently attacking the system to carry out crypto mining activities. Researchers said hackers weaponize exposed Java Debug Wire Protocol (JDWP) interfaces to obtain code execution capabilities on compromised systems.
According to the report, after gaining code execution capabilities, hackers deployed cryptominers to the systems of compromised hosts. “Attackers can use a modified version of XMRIG with hard-coded configurations and avoid suspicious command-line arguments that are often flagged by defenders,” the researchers said. They added that the payload uses a mining pool proxy to hide the attacker’s crypto wallet, preventing investigators from further tracking it.
Hackers weaponize exposed JDWPs to carry out mining activities
Researchers observed activity against honeypot servers running TeamCity, popular continuous integration and continuous delivery (CI/CD) tools. JDWP is a communications protocol used in Java for debugging. The protocol allows you to use the debugger to work on various processes, Java applications on the same computer, or on remote computers.
However, the fact that JDWP does not have an access control mechanism allows exposure to the Internet to open new attack vectors that can be exploited as an entry point to give hackers complete control over the running Java processes. To simplify it, you can use a misconfiguration to inject and run arbitrary commands to set persistence and ultimately execute a malicious payload.
“In most Java applications, JDWP is not enabled by default, but is commonly used in development and debugging environments,” the researchers said. “Many popular applications often start a JDWP server automatically when run in debug mode without revealing the risk to developers. If it is inappropriately exposed to security, this can open the door to a remote code execution (RCE) vulnerability.”
Some of the applications that may start a JDWP server in debug mode include TeamCity, Apache Tomcat, Spring Boot, Elasticsearch, Jenkins, and more. Greynoise’s data showed that over 2,600 IP addresses of JDWP endpoints have been scanned in the last 24 hours, of which 1,500 IP addresses are malicious and 1,100 are classified as suspicious. The report said that most of these IP addresses come from Hong Kong, Germany, the US, Singapore and China.
Researchers detail how the attack is carried out
In the attacks the researchers observe, hackers take advantage of the fact that the Java Virtual Machine (JVM) listens to the debugger connection on port 5005 and begins scanning open JDWP ports on the Internet. A JDWP handshake request is then sent to check if the interface is active. Once you have verified that the service is exposed and interactive, the hacker moves to execute the command and runs a Dropper shell script that is expected to perform a series of actions.
These sequences of actions include killing all competing miners or high CPU processes on the system, dropping a modified version of the xmrig miner for the appropriate system architecture from an external server (“awarmcorner(.) world”) to “~/.config/logrotate” and establishing persistence by securing a cloning job to secure a cloning job to secure a cloning job to secure a wage in the case of repeated wages and repeated wages. Remove itself at interval, exit.
“Open source Xmrig offers the convenience of simple customizations for attackers, in which case it removed all command line analysis logic and involved hardcoded configurations,” the researchers said. “This adjustment not only simplifies deployment, but also allows the payload to mimic the original logotate process more persuasive.”
This disclosure came as NSFOCUS noted that a new, evolving Go-based malware named Hpingbot, which targets both Windows and Linux systems, could use HPING3 to launch distributed denial of service (DDOS) attacks.
Discover more from Earlybirds Invest
Subscribe to get the latest posts sent to your email.
