Ddos 
The Wiz Research Team has uncovered a stealthy and rapidly executed exploitation chain leveraging a misconfigured Java Debug Wire Protocol (JDWP) interface to deploy crypto-mining malware in TeamCity environments. The discovery was made during routine honeypot monitoring and has implications for countless Java-based applications, particularly within CI/CD pipelines.
“The attacker had gained remote code execution by abusing an exposed Java Debug Wire Protocol (JDWP) interface, ultimately deploying a cryptomining payload and setting up multiple persistence mechanisms,” the Wiz team reports.
JDWP is a feature meant for debugging live Java applications. It allows developers to remotely inspect memory, threads, and control execution flow via ports like 5005.
“However, JDWP does not implement authentication or access control by default, and exposing it to the Internet is considered a misconfiguration,” the report states.
The attackers exploited this openness by initiating JDWP handshakes, inspecting loaded classes, and invoking java.lang.Runtime.getRuntime().exec() to execute shell commands and download malicious payloads.
Once the JDWP port was exposed, exploitation occurred within just a few hours—a testament to the scale and automation of threat actor reconnaissance.
“Malware was deployed within just a few hours of exposing the vulnerable machine,” the report warns.
Using tools like jdwp-shellifier, the attacker retrieved class and method info, then injected commands like:
The payload? A modified XMRig crypto-miner, renamed to logrotate to mimic a legitimate Linux utility.
The attack script (logservice.sh):
- Killed competing CPU-intensive processes.
- Downloaded a custom XMRig binary from awarmcorner[.]world.
- Installed itself into systemd, cron jobs, and shell startup scripts (.bashrc, .zshrc).
- Set itself to auto-run on reboot or terminal login.
- Deleted itself upon execution to evade detection.
“This logrotate binary is a modified variant of XMRig… stripping out all command-line parsing logic and hardcoding the configuration.”
The attacker even added immutable (chattr +i) cron entries to further solidify persistence.
JDWP’s hidden dangers are often overlooked in production environments, especially when left open unintentionally. The report lists several Java-based tools that may expose JDWP in debug mode:
- TeamCity
- Jenkins
- Selenium Grid
- Elasticsearch
- Quarkus
- Spring Boot
- Apache Tomcat
The sheer scale of targeting is alarming. Using GreyNoise data, Wiz found over 6,000 unique IPs scanning for JDWP endpoints within 90 days.
“We observed extremely rapid exploitation of exposed JDWP instances.”
The attack described by Wiz is a blueprint for how trivial misconfigurations can lead to full-blown breaches. Secure your debug interfaces, or they’ll become backdoors for cryptojackers and worse.
Related Posts:
- Critical TeamCity Flaws Exploited: Ransomware, Cryptominers, and More Target Businesses
- Log4j Campaign Exploited to Deploy XMRig Cryptominer
- New Phishing Campaign Targets AWS Accounts: Security Experts Warn
- TeamCity Authentication Bypass Flaw: A Critical Threat to CI/CD Servers
- Recruitment Scam Targets Job Seekers with Fake CrowdStrike Branding
Donate