Misconfigured and vulnerable Apache Tomcat servers are under attack in a new campaign aimed at spreading the Mirai botnet malware and cryptocurrency miners, as reported by Aqua. Over a two-year period, Aqua detected more than 800 attacks against its Tomcat serverBotnet
, with a staggering 96% of them linked to the infamous Mirai botnet.
The attackers employed a web shell script named “neww” from 24 unique IP addresses, with the majority originating from a single IP address (104.248.157[.]218) to gain unauthorized access.
Once the threat actors successfully gained a foothold, they deployed a WAR file containing a malicious web shell class named ‘cmd.jsp.’ This class allowed them to remotely listen to requests and execute arbitrary commands on the compromised Tomcat server. Notably, the attackers used a shell script called “neww” and subsequently deleted the file using the “rm -rf” Linux command. The script contained links to download 12 binary files tailored to specific architectures, based on the targeted system.
The final stage of the malware involved deploying a variant of the notorious Mirai botnet, which utilized the infected hosts to orchestrate distributed denial-of-service (DDoS) attacks. The attackers leveraged the Tomcat web application manager by uploading a disguised web shell within a WAR file. Aqua researcher Nitzan Yaakov emphasized the importance of organizations securing their environments and maintaining strong credential hygiene to thwart brute-force attacks.
Additionally, AhnLab Security Emergency Response Center (ASEC) reported a concerning trend, where poorly managed MS-SQL servers are being exploited to deliver the Purple Fox rootkit malware.
This malware acts as a loader to fetch additional threats like coin miners, highlighting the lucrative nature of cryptocurrency mining. The increase in cryptojacking attacks has been significant, with SonicWall recording a 399% surge compared to the previous year, tallying 332 million cryptojacking incidents globally in the first half of 2023.
