Misconfigured and badly secured Apache Tomcat servers are currently being specific as aspect of a new marketing campaign developed to deliver the Mirai botnet malware and cryptocurrency miners.
The conclusions appear courtesy of Aqua, which detected additional than 800 attacks towards its Tomcat server honeypots above a two-12 months time time period, with 96% of the attacks linked to the Mirai botnet.
Of these attack tries, 20% (or 152) entailed the use of a web shell script dubbed “neww” that originated from 24 distinctive IP addresses, with 68% of them originating from a solitary IP tackle (104.248.157[.]218).
“The danger actor scanned for Tomcat servers and released a brute power attack against it, trying to get access to the Tomcat web application supervisor by attempting different combinations of qualifications affiliated with it,” Aqua security researcher Nitzan Yaakov stated.
Upon attaining a prosperous foothold, the menace actors have been noticed deploying a WAR file that consists of a destructive web shell course named ‘cmd.jsp’ that, in change, is intended to listen to remote requests and execute arbitrary instructions on the Tomcat server.
This includes downloading and running a shell script named “neww” right after which the file is deleted employing the “rm -rf” Linux command.
“The script is made up of links to obtain 12 binary information, and just about every file is suitable for a unique architecture in accordance to the system that has been attacked by the risk actor,” Yaakov pointed out.
The remaining stage malware is a variant of the infamous Mirai botnet that can make use of the contaminated hosts to orchestrate distributed denial-of-company (DDoS) attacks.
“Once the menace actor acquired access to the web application supervisor working with legitimate qualifications, they leveraged the platform to add a web shell disguised in a WAR file,” Yaakov stated. “Upcoming, the danger actor executed commands remotely and launched the attack.”
Approaching WEBINARShield Versus Insider Threats: Grasp SaaS Security Posture Administration
Nervous about insider threats? We’ve bought you lined! Join this webinar to explore sensible techniques and the insider secrets of proactive security with SaaS Security Posture Management.
Sign up for Today
To mitigate towards the ongoing campaign, it’s advisable that organizations secure their environments and comply with credential cleanliness to prevent brute-drive attacks.
The advancement arrives as the AhnLab Security Emergency Response Middle (ASEC) reported that improperly managed MS-SQL servers are getting breached to deploy a rootkit malware referred to as Purple Fox, which acts as a loader to fetch further malware these kinds of as coin miners.
These conclusions also show the rewarding mother nature of cryptocurrency mining, which has witnessed a 399% increase more than previous year, with 332 million cryptojacking attacks recorded in the to start with 50 % of 2023 globally, according to SonicWall.
Uncovered this article exciting? Comply with us on Twitter and LinkedIn to read more unique written content we put up.
Some components of this write-up are sourced from: