Threat actors have been exploiting exposed Java Debug Wire Protocol (JDWP) interfaces to gain code execution capabilities and deploy cryptocurrency miners on compromised hosts. The attackers utilized a modified version of XMRig with a hardcoded configuration to avoid detection. Cloud security firm Wiz observed this activity against its honeypot servers running TeamCity, a popular CI/CD tool.
JDWP is a communication protocol used in Java for debugging purposes. However, due to the lack of authentication or access control mechanisms, exposing JDWP to the internet can create a new attack vector for threat actors to exploit, resulting in full control over the running Java process.
Wiz highlighted that many popular applications automatically start a JDWP server when in debug mode, making it vulnerable if not properly secured. Data from GreyNoise showed over 2,600 IP addresses scanning for JDWP endpoints, with a significant number being classified as malicious or suspicious.
In observed attacks, threat actors targeted the Java Virtual Machine (JVM) on port 5005 to scan for open JDWP ports and establish a JDWP session. Once confirmed, the attackers executed a series of commands to deploy a modified XMRig miner, establish persistence, and delete traces of the attack.
New Hpingbot Botnet Emerges
NSFOCUS recently detailed a new Go-based malware named Hpingbot capable of targeting Windows and Linux systems to launch DDoS attacks using hping3. Unlike other trojans derived from known botnet families, Hpingbot is a new strain showing innovation in utilizing resources like Pastebin and hping3 for DDoS attacks.
Hpingbot leverages weak SSH configurations to gain initial access to systems and uses Pastebin as a dead drop resolver for downloading malicious scripts. The malware initiates DDoS flood attacks, establishes persistence, and conceals traces of infection.
Attackers have been observed using nodes controlled by Hpingbot to distribute additional payloads, indicating a shift towards a payload distribution network. While the Windows version cannot directly launch DDoS attacks using hping3, it remains active in downloading and executing arbitrary payloads.
