Panamorfi: New DDoS Campaign Weaponizes Minecraft Tool
Experts at AquaSec have identified a new DDoS attack campaign named “Panamorfi.” These attacks utilize a package called “mineping.jar,” written in Java and designed to launch TCP flood DDoS attacks. Notably, Mineping was initially developed for Minecraft servers.
The attack chain begins by exploiting internet-exposed instances of Jupyter Notebook to execute wget commands for downloading a ZIP archive hosted on Filebin. The ZIP archive contains two JAR files: “conn.jar” and “mineping.jar.” The former is used to establish connections with a Discord channel and to initiate the execution of the “mineping.jar” package.
According to Aqua researcher Assaf Morag, the goal of the attack is to exhaust the resources of the target server by sending a large number of TCP connection requests. The results of the attack are displayed in a dedicated Discord channel.
This malicious campaign is attributed to an attacker using the pseudonym “yawixooo,” whose GitHub account contains a public repository with a Minecraft server configuration file.
The GitHub profile of the threat actor
This is not the first instance where internet-exposed Jupyter Notebook instances have been targeted. In October 2023, for instance, Cado Security experts uncovered the Qubitstrike campaign, orchestrated by a Tunisian group attempting to use Jupyter Notebook for illegal cryptocurrency mining and cloud environment hacking.
Researchers warn that attacks on Jupyter Notebook are becoming increasingly frequent and sophisticated. IT professionals must pay special attention to the configuration and security of these tools to prevent such incidents in the future.
