Hackers Exploit JDWP Interfaces to Deploy Cryptocurrency Miners on 2,600 IP Addresses

Hackers have been exploiting exposed Java Debug Wire Protocol (JDWP) interfaces to gain control over compromised systems and deploy cryptocurrency miners. Researchers from a cloud security firm have identified this tactic, where hackers use the JDWP to execute code on targeted systems. Once they have code execution capabilities, the attackers deploy a modified version of XMRig, a popular open-source cryptocurrency miner, to mine Monero. The modified version includes a hard-coded configuration to avoid detection by defenders, who often flag suspicious command-line arguments. Additionally, the payload uses mining pool proxies to conceal the attacker’s crypto wallet, making it difficult for investigators to trace the source.

The researchers observed this activity on their honeypot servers running TeamCity, a widely-used continuous integration and continuous delivery (CI/CD) tool. JDWP is a communication protocol used in Java for debugging, allowing the debugger to interact with different processes, including those on remote computers. However, the lack of an access control mechanism in JDWP makes it a potential entry point for hackers if exposed to the internet. This misconfiguration can be exploited to inject and execute arbitrary commands, ultimately leading to the deployment of malicious payloads.

While JDWP is not enabled by default in most Java applications, it is commonly used in development and debugging environments. Many popular applications, such as TeamCity, Apache Tomcat, Spring Boot, Elasticsearch, and Jenkins, automatically start a JDWP server when run in debug mode. This can expose systems to remote code execution (RCE) vulnerabilities if not properly secured. The researchers noted that over 2,600 IP addresses have been scanned for JDWP endpoints in the last 24 hours, with a significant portion originating from various regions around the world.

In the observed attacks, hackers scan the internet for open JDWP ports and send a JDWP-Handshake request to confirm if the interface is active. Once confirmed, they execute a command to fetch a dropper shell script, which performs a series of actions. These actions include terminating competing miners or high-CPU processes, downloading a modified version of the XMRig miner from an external server, establishing persistence through cron jobs, and deleting itself upon exit. The use of an open-source tool like XMRig allows attackers to customize the miner easily, stripping out command-line parsing logic and hardcoding the configuration to simplify deployment and evade detection.

This disclosure coincides with the identification of a new and evolving Go-based malware named Hpingbot, which targets both Windows and Linux systems. Hpingbot is capable of launching distributed denial-of-service (DDoS) attacks using hping3, adding another layer of threat to the already compromised systems. The evolving nature of these attacks underscores the importance of securing JDWP interfaces and other potential entry points to prevent unauthorized access and malicious activities.