![]() ![]() These findings also demonstrate the lucrative nature of cryptocurrency mining, which has witnessed a 399% increase over last year, with 332 million cryptojacking attacks recorded in the first half of 2023 globally, according to SonicWall. The development comes as the AhnLab Security Emergency Response Center (ASEC) reported that poorly managed MS-SQL servers are being breached to deploy a rootkit malware called Purple Fox, which acts as a loader to fetch additional malware such as coin miners. To mitigate against the ongoing campaign, it's recommended that organizations secure their environments and follow credential hygiene to prevent brute-force attacks. "Next, the threat actor executed commands remotely and launched the attack." ![]() "Once the threat actor gained access to the web application manager using valid credentials, they leveraged the platform to upload a web shell disguised in a WAR file," Yaakov said. The final stage malware is a variant of the infamous Mirai botnet that makes use of the infected hosts to orchestrate distributed denial-of-service (DDoS) attacks. It also implements a collection of API namespaces that are required by most applications. It implements a dozen or so foundational components that can be used to build more complex components. "The script contains links to download 12 binary files, and each file is suitable for a specific architecture according to the system that has been attacked by the threat actor," Yaakov pointed out. ReactXP was designed to be a thin, lightweight cross-platform abstraction layer on top of React and React Native. This includes downloading and running a shell script called "neww" after which the file is deleted using the " rm -rf" Linux command. Upon gaining a successful foothold, the threat actors have been observed deploying a WAR file that contains a malicious web shell class named 'cmd.jsp' that, in turn, is designed to listen to remote requests and execute arbitrary commands on the Tomcat server. "The threat actor scanned for Tomcat servers and launched a brute force attack against it, attempting to gain access to the Tomcat web application manager by trying different combinations of credentials associated with it," Aqua security researcher Nitzan Yaakov said. Of these attack attempts, 20% (or 152) entailed the use of a web shell script dubbed "neww" that originated from 24 unique IP addresses, with 68% of them originating from a single IP address (104.248.157218). The findings come courtesy of Aqua, which detected more than 800 attacks against its Tomcat server honeypots over a two-year time period, with 96% of the attacks linked to the Mirai botnet. Misconfigured and poorly secured Apache Tomcat servers are being targeted as part of a new campaign designed to deliver the Mirai botnet malware and cryptocurrency miners. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |