Hackers attack servers to mine cryptocurrencies

Hackers are now attacking systems to carry out crypto mining activities, according to a report from researchers from cloud security firm Wiz. The researchers stated that the hackers are weaponizing exposed Java Debug Wire Protocol (JDWP) interfaces to obtain code execution capabilities on compromised systems.

According to the report, after gaining code execution capabilities, the hackers deployed crypto miners on the systems of their compromised hosts. “The attacker used a modified version of XMRig with a hard-coded configuration, allowing them to avoid suspicious command-line arguments that are often flagged by defenders,” the researchers said. They added that the payload used mining pool proxies to conceal the attacker’s crypto wallet, preventing investigators from tracing it further.

Hackers weaponize exposed JDWP to carry out mining activities

The researchers observed the activity against their honeypot servers running TeamCity, a popular continuous integration and continuous delivery (CI/CD) tool. JDWP is a communication protocol used in Java for debugging. With the protocol, the debugger can be used to work on different processes, a Java application on the same computer, or a remote computer.

However, due to the fact that JDWP lacks an access control mechanism, exposing it to the internet can open up new attack vectors that hackers can abuse as an entry point to enable full control over the running Java process. To simplify it, the misconfiguration can be used to inject and execute arbitrary commands in order to set up persistence on and ultimately run malicious payloads.

“While JDWP is not enabled by default in most Java applications, it is commonly used in development and debugging environments,” the researchers said. “Many popular applications automatically start a JDWP server when run in debug mode, often without making the risks obvious to the developer. If improperly secured or left exposed, this can open the door to remote code execution (RCE) vulnerabilities.”

Some of the applications that may launch a JDWP server when in debug mode include TeamCity, Apache Tomcat, Spring Boot, Elasticsearch, Jenkins, and others. Data from GreyNoise showed that over 2,600 IP addresses have been scanned for JDWP endpoints in the last 24 hours, out of which 1,500 IP addresses are malicious and 1,100 are classified as suspicious. The report mentioned that most of these IP addresses originated from Hong Kong, Germany, the United States, Singapore, and China.

The researchers detail how the attacks are being carried out

In the attacks observed by the researchers, the hackers take advantage of the fact that the Java Virtual Machine (JVM) listens for debugger connections on port 5005 to initiate scanning for open JDWP ports across the internet. After that, a JDWP-Handshake request is sent to confirm if the interface is active. Once it confirms that the service is exposed and interactive, the hackers move to execute a command to fetch, carrying out a dropper shell script that is expected to carry out a series of actions.

These series of actions include killing all competing miners or any high-CPU processes on the system, dropping a modified version of XMRig miner for the appropriate system architecture from an external server (“awarmcorner[.]world”) into “~/.config/logrotate”), establishing persistence by setting cron jobs to ensure that payload is re-fetched and re-executed after every shell login, reboot, or scheduled time interval, and delete itself on exit.

“Being open-source, XMRig offers attackers the convenience of easy customization, which in this case involved stripping out all command-line parsing logic and hardcoding the configuration,” the researchers said. “This tweak not only simplifies deployment but also allows the payload to mimic the original logrotate process more convincingly.”

This disclosure comes as NSFOCUS noted that a new and evolving Go-based malware named Hpingbot that has been targeting both Windows and Linux systems can launch a distributed denial-of-service (DDoS) attack using hping3.

Your crypto news deserves attention - KEY Difference Wire puts you on 250+ top sites