Internet-exposed Java Debug Wire Protocol interfaces have been exploited by malicious actors to facilitate arbitrary code execution and cryptocurrency mining malware deployment on targeted systems, The Hacker News reports.
After scanning open JDWP ports, attackers deliver a JDWP-Handshake request to confirm interface activity and create a session before running a curl command that executes a dropper shell script, which not only deploys a custom XMRig backdoor and removes other miners and high-CPU processes but also establishes cron jobs for persistence prior to self-deletion, according to an analysis from Wiz researchers. China, the U.S., and Germany were found by GreyNoise to account for most of the suspicious and IP addresses conducting JDWP scanning. Meanwhile, hundreds of distributed denial-of-service attack orders have been provided by the nascent Hpingbot botnet since June 17, most of which have been aimed at Germany, the U.S., and Turkey, a report from NSFOCUS showed. Insecure SSH configurations have been primarily targeted by Hpingbot, which is spread by a password spraying attack module and was found to contain nodes deploying another Go-based DDoS component.
After scanning open JDWP ports, attackers deliver a JDWP-Handshake request to confirm interface activity and create a session before running a curl command that executes a dropper shell script, which not only deploys a custom XMRig backdoor and removes other miners and high-CPU processes but also establishes cron jobs for persistence prior to self-deletion, according to an analysis from Wiz researchers. China, the U.S., and Germany were found by GreyNoise to account for most of the suspicious and IP addresses conducting JDWP scanning. Meanwhile, hundreds of distributed denial-of-service attack orders have been provided by the nascent Hpingbot botnet since June 17, most of which have been aimed at Germany, the U.S., and Turkey, a report from NSFOCUS showed. Insecure SSH configurations have been primarily targeted by Hpingbot, which is spread by a password spraying attack module and was found to contain nodes deploying another Go-based DDoS component.
