AI DevwWrld CyberDSA Chatbot Summit Cyber Revolution Summit CYSEC Global Cyber Security & Cloud Expo World Series Digital Identity & Authentication Summit Asian Integrated Resort Expo Middle East Low Code No Code Summit TimeAI Summit

The Mirai botnet attack on Apache Tomcat servers

Unmasking the cyberattack chain: infiltration, execution, and countermeasures

The article discusses a cyberattack campaign targeted towards poorly protected Apache Tomcat servers, aiming to distribute Mirai botnet malware and cryptocurrency miners. The attack involves the use of a web shell script known as "neww", which gains unauthorized access to make changes on the server. The final part of the attack involves a Mirai botnet variant that exploits servers to launch DDoS attacks. To counter this, organizations are advised to improve their security measures.

This pill is also available in Italian language

Apache Tomcat servers that aren't optimally configured or protected are the target for a new cyberattack campaign that aims to disperse Mirai botnet malware and cryptocurrency miners. Aqua, the cybersecurity company that made this discovery, reported over 800 threats to its honeypot Tomcat servers within a span of two years. Astonishingly, 96% of these attacks are related to the Mirai botnet.

The intricate frameworks of the attacks

In the total attack attempts investigated by Aqua, 20% (about 152 incidents) involved the use of a web shell script known as "neww". This script stemmed from 24 distinct IP addresses, 68% of which could be traced back to a unique origin point, an IP address: 104.248.157[.]218. The assailing party would scour for Tomcat servers and subject it to a brute force attack, eyeing for an entry into the Tomcat web application manager, said Nitzan Yaakov, an Aqua cybersecurity researcher.

The sinister execution

After gaining unauthorized access, the interlopers deployed a warfare (WAR) file containing a malicious web shell class: 'cmd.jsp'. This web shell class responded to remote commands, and could administer any commands on the Tomcat server. The protocols involved downloading a shell script dubbed "neww", and subsequently erasing the file via the "rm -rf" Linux command. "The script has links which download 12 binary files that match the architecture of the attacked system," added Yaakov.

From infiltration to actions, and the countermeasures

The final point of the malicious chain included a Mirai botnet variant, exploiting the compromised 'hosts' to direct distributed denial-of-service (DDoS) attacks. To combat these insidious campaigns, organisations are advised to elevate their security postures and improve credential hygiene. The discovery aligns with the AhnLab Security Emergency Response Center's (ASEC) recent report of MS-SQL servers compromised to distribute Purple Fox rootkit malware. This serves as a timely warning, considering the staggering 399% rise in cryptocurrency mining and accompanying cryptojacking attacks.

Follow us on Instagram for more pills like this

07/27/2023 11:27

Editorial AI

Last pills

Cyber attack in Indonesia: the new Brain Cipher ransomware brings services to their kneesNew ransomware hits Indonesia: learn how Brain Cipher crippled essential services and the techniques used by hackers

Patelco Credit Union: security incident halts customer services in CaliforniaService disruption and customer frustration: Patelco Credit Union works to resolve security incident

Cyber attack on TeamViewer: immediate response and investigations underwayStrengthened security measures and international collaborations to counter the cyber threat

Polyfill JS supply chain attack: what happenedA detailed analysis of the cyber attack that compromised a library essential for JavaScript compatibility in browsers