A routine monitoring by researchers uncovered an exploitation attempt on a honeypot server running TeamCity, a CI/CD tool. The attack exploited an exposed Java Debug Wire Protocol (JDWP) interface, leading to remote code execution, deployment of cryptomining payload, and establishment of multiple persistence mechanisms. The attack was notable for its rapid exploitation, use of a customized XMRig payload, and stealthy crypto-mining techniques. JDWP, designed for debugging Java applications, becomes a high-risk entry point when exposed to the Internet without proper authentication. The attackers used a structured sequence to achieve remote code execution, likely using a variant of jdwp-shellifier. They deployed a dropper script that installed an XMRig miner and set up various persistence mechanisms including boot scripts, systemd services, cron jobs, and shell configuration files. Author: AlienVault
Related Tags:
jdwp
T1543.002
T1053.003
T1036.004
java
TeamCity
remote code execution
T1070.004
XMRig
Associated Indicators:
3EB47033CD5399AEE33048D6DED163105158882B2483884BC949697F3BFD0D95
C7DC919E759B614123FFB6F0C777BD3DAF219934723E23B6C1E47F58B7424E2C
2FD27B28E8751AC97E7A3FF8E5004257FAA91881C5A02A3B0122A549A572164E
B0E1AE6D73D656B203514F498B59CBCF29F067EDF6FBD3803A3DE7D21960848D
90B08677B2080B90FBD347400818B5C175D1D6325B5967329407496F71587EC0
5E12D31F32611CD8313C8D5E946129E5ECBB41A71B22CF0C356204FA8E81F861
BAF0A3B92225F56499C6879B176A3D6163B9D3EF
EA7C97294F415DC8713AC8C280B3123DA62F6E56
7074D674D120D19AA7E44E29DD126AF152CCDB7C