Exposed JDWP Exploited in the Wild What Happens When Debug Ports Are Left Open
During routine monitoring, the Wiz Research Team observed an exploitation attempt targeting one of our honeypot servers running TeamCity, a popular CI/CD tool. Our investigation determined that the attacker had gained remote code execution by abusing an exposed Java Debug Wire Protocol (JDWP) interface, ultimately deploying a cryptomining payload and setting up multiple persistence mechanisms.
We found this attack interesting due to a few key points:
- Fast Exploitation: Malware was deployed within just a few hours of exposing the vulnerable machine. We observed this rapid turnaround across multiple attempts.
- Customized XMRig payload: The attacker used a modified version of XMRig with a hardcoded configuration, allowing them to avoid suspicious command-line arguments that are often flagged by defenders.
- Stealthy crypto-mining: The payload used mining pool proxies to hide their cryptocurrency wallet address, thereby preventing investigators from pivoting on it.
To read the complete article see:
This post is licensed under CC BY 4.0 by the author.