Listen to this Post
Urgent Security Threat: Attackers Exploit Apache Tomcat for Cryptojacking
Cybersecurity researchers at Aqua Nautilus have uncovered a rapidly evolving attack campaign that exploits vulnerabilities in Apache Tomcat servers. Within just 30 hours of the flaw being discovered, threat actors weaponized it to breach systems, steal SSH credentials, and hijack server resources for cryptocurrency mining.
This campaign highlights the critical importance of patching server vulnerabilities before they can be exploited. Apache Tomcat is widely used for web applications, making it a prime target for cybercriminals seeking to compromise cloud-based infrastructures.
Attack Flow: Brute Force to Cryptomining
1. Gaining Access
The attack begins with a brute-force assault on the Tomcat management console. Attackers deploy a Python script to guess weak credentials like “Tomcat” and “123456”. Once successful, they establish control over the system.
2. Deploying Malicious JSP Files
- Attackers upload two JavaServer Pages (JSP) files to create backdoors and maintain persistence.
- The first JSP file acts as a web shell, executing encrypted malicious code using AES encryption.
- The second JSP file ensures persistence by copying itself to various directories.
3. Further Exploitation on Different OS
- On Windows, the attackers download and execute an .exe payload.
- On Linux, they deploy a shell script for further infection.
- Malicious scripts are hosted on domains like dbliker.top, disguised behind fake 404 error pages.
SSH Credential Theft and Lateral Movement
The attackers then shift focus to expanding their reach across the network:
– A sophisticated script (ldr.sh) scans the compromised system for SSH keys.
– It steals credentials and spreads malware to additional hosts.
– The primary malware payload, a packed ELF binary, is launched for cryptomining.
Stealthy Cryptomining Operations
The cryptomining malware uses advanced evasion techniques:
- Disguises itself as kernel processes (e.g.,
[cpuhp/0]) to avoid detection. - Implements anti-debugging, memory mapping, and process cloning to evade security tools.
- Connects to mining pools like gulf.moneroocean.stream and auto.c3pool.org, hijacking CPU resources for mining Monero (XMR).
Indicators of Compromise (IOCs)
Security teams should look for:
✅ Malicious JSP files (test.jsp, tomcat.jsp) linked to the attack.
✅ Packed ELF binaries used for cryptomining.
✅ Domains hosting payloads (dbliker.top).
✅ Suspicious IP addresses (e.g., 138.201.247.154).
How to Defend Against These Attacks
🔹 Patch Vulnerabilities – Update Apache Tomcat and other critical software.
🔹 Disable Unused Services – Limit access to management interfaces.
🔹 Implement Privilege Management – Use Role-Based Access Control (RBAC) and restrict root access.
🔹 Network Segmentation – Isolate critical infrastructure and block unnecessary outbound connections.
🔹 Deploy Runtime Protection – Use advanced anti-malware and behavior-based detection tools.
What Undercode Say:
Apache Tomcat: A Double-Edged Sword for Cybersecurity
Apache Tomcat remains one of the most popular open-source Java servlet containers, used extensively for running web applications. However, its widespread adoption makes it an attractive target for cybercriminals.
1️⃣ Speed of Exploitation is Alarming
- This attack campaign was weaponized within just 30 hours of the vulnerability’s discovery.
- Attackers are now automating the exploitation process, drastically reducing response time for defenders.
2️⃣ Credential Security is Still a Major Weak Point
– The brute-force entry method suggests many organizations still use weak credentials.
– Default passwords like “admin”, “password”, and “123456” continue to be exploited.
3️⃣ Stealth Tactics Are Evolving
- Disguising malware as kernel processes is a growing trend in cryptojacking campaigns.
- Attackers are hiding payloads behind fake 404 error pages, making detection more difficult.
4️⃣ Lateral Movement Remains a Major Threat
- The theft of SSH credentials allows rapid expansion across networks.
- Compromised SSH keys can give attackers persistent access to multiple servers.
5️⃣ Cryptojacking is Still Highly Profitable
- Mining pools such as Moneroocean remain a primary target for attackers.
- While not as destructive as ransomware, cryptojacking silently drains resources and reduces server performance.
6️⃣ Security Teams Need Real-Time Monitoring
– Passive security measures are not enough.
- Continuous runtime security and active threat hunting are crucial for stopping these attacks before they escalate.
Fact Checker Results:
🔍 Cryptomining malware is evolving – The use of packed ELF binaries and kernel disguises makes detection harder than before.
🔍 Default credentials remain a massive issue – Attackers continue to exploit weak passwords in widely used software.
🔍 Automation of attacks is increasing – The ability to weaponize vulnerabilities in under 30 hours shows that cybercriminals are operating at lightning speed.
🔴 Final Verdict: Organizations must act fast. Patching vulnerabilities, enforcing strong credentials, and monitoring real-time threats are the best defenses against these evolving cryptojacking campaigns.
References:
Reported By: https://cyberpress.org/hackers-exploit-apache-tomcat-flaw/
Extra Source Hub:
https://www.twitter.com
Wikipedia
Undercode AI
Image Source:
Pexels
Undercode AI DI v2
