Exposed JDWP Exploited in the Wild: What Happens When Debug Ports Are Left Open

SUMMARY :

A routine monitoring by researchers uncovered an exploitation attempt on a honeypot server running TeamCity, a CI/CD tool. The attack exploited an exposed Java Debug Wire Protocol (JDWP) interface, leading to remote code execution, deployment of cryptomining payload, and establishment of multiple persistence mechanisms. The attack was notable for its rapid exploitation, use of a customized XMRig payload, and stealthy crypto-mining techniques. JDWP, designed for debugging Java applications, becomes a high-risk entry point when exposed to the Internet without proper authentication. The attackers used a structured sequence to achieve remote code execution, likely using a variant of jdwp-shellifier. They deployed a dropper script that installed an XMRig miner and set up various persistence mechanisms including boot scripts, systemd services, cron jobs, and shell configuration files.

OPENCTI LABELS :

remote code execution,java,cryptomining,xmrig,teamcity,persistence,jdwp,debugging


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Exposed JDWP Exploited in the Wild: What Happens When Debug Ports Are Left Open