The Wiz Security Team has recently conducted research that shows a significant increase in attacks that target well-known CI/CD platforms like TeamCity and take use of weak Java Debug Wire Protocol (JDWP) interfaces.
These attacks, detected via honeypot deployments, reveal a significant uptick in both speed and sophistication.
Within just a few hours of exposing a JDWP-enabled TeamCity server to the internet, malicious actors successfully achieved remote code execution (RCE), deployed cryptomining malware, and implemented diverse persistence mechanisms to maintain long-term control.
JDWP is a Java platform feature meant for debugging live applications, offering developers valuable introspection capabilities.
It is commonly enabled using JVM flags, such as -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:5005.
Critically, JDWP provides no authentication or access control by default. When Internet-exposed, this lack of security transforms JDWP into a high-risk entrypoint, granting attackers the ability to execute arbitrary code with the privileges of the running Java process.
While JDWP is not active by default in most Java applications, many tools TeamCity, Jenkins, Selenium Grid, Elasticsearch, Quarkus, Spring Boot, and Apache Tomcat among them activate JDWP in debug mode, often without warning developers of the associated risks.
Customized XMRig Payload
Attackers initiated their campaign by scanning for open JDWP ports, such as the default 5005.
Upon establishing a JDWP session, they conducted protocol-level negotiations using a JDWP-Handshake, checked loaded JVM classes, and identified exploitable methods, particularly java.lang.Runtime.getRuntime().exec().
The exploitation chain involved creating strings containing download and execution commands such as fetching malicious scripts via curl or wget executed directly through JDWP-invoked Java methods.
The primary dropper script observed, dubbed logservice.sh, demonstrated advanced evasion and persistence.
It would terminate competing miners or high-CPU processes, download a custom XMRig miner disguised as the legitimate “logrotate” binary, and install itself across various startup points: user shell profiles, rc.local, systemd units, and multiple cron schedules.
The malicious XMRig variant featured a hardcoded configuration, circumventing suspicious command-line arguments, and communicated via mining pool proxies to obscure wallet addresses. This deliberate obfuscation hinders detection and forensic efforts by defenders.
Persistence mechanisms were comprehensive. Modifications were made to rc.local and cron job configurations on both Debian and RedHat-based systems, fake systemd services were created, and shell profile scripts were amended to guarantee execution upon user login or system reboot.
The attack script also ensured its own deletion post-execution, leaving only the disguised binary behind.
Widespread Targeting
Analysis showed highly automated exploitation, with over 6,000 unique IP addresses observed scanning for JDWP endpoints in just 90 days, underscoring JDWP’s attractiveness as a target for cybercriminals.
Multiple threat actors appeared to leverage similar tactics, seeking rapid deployment of cryptominers before defenders could respond.
According to the Report, The attackers’ use of tailored miners and stealthy installation methods makes traditional detection and response particularly challenging. Security vendors like Wiz offer a layered defense strategy against such attacks.
Their agentless malware detection and runtime sensors monitor for behavioral indicators from JDWP exploitation and suspicious network activity to unauthorized changes in system services and cryptomining workload patterns alerting defenders to each stage of the kill chain.
The campaign is a potent reminder that exposing development and debugging services like JDWP to the internet even inadvertently creates a critical security liability.
Organizations must review their deployment practices, ensure administrative ports are firewalled or access controlled, and employ advanced monitoring to catch stealthy post-exploitation activity.
Indicators of Compromise (IOCs)
| IoC | Type | Description |
|---|---|---|
| a923de9df0766d6c4be46191117b8cc6486cf19c | SHA-1 | logservice.sh |
| 1879d5fa0c2ca816fcb261e96338e325e76dca09 | SHA-1 | logservice.sh |
| 18d83ba336ca6926ce8b9d68f104cff053f0c2f9 | SHA-1 | o.sh – attack script |
| 815bc1a79440cdc4a7e1d876ff2dc7bc4f53d25e | SHA-1 | logrotate |
| 0851a95d46f035c7759782299422bcfd794e2aec | SHA-1 | logrotate |
| 7074d674d120d19aa7e44e29dd126af152ccdb7c | SHA-1 | logrotate |
| 2d4a23e861ef41df6953195fa4cda115e37a7218 | SHA-1 | logrotate |
| baf0a3b92225f56499c6879b176a3d6163b9d3ef | SHA-1 | logrotate |
| ea7c97294f415dc8713ac8c280b3123da62f6e56 | SHA-1 | XMRig 6.22 |
| 185.196.8[.]123 | IP | File Server |
| 185.196.8[.]86 | IP | Payloads File Server |
| 176.65.148[.]57 | IP | JDWP scanner |
| 176.65.148[.]86 | IP | JDWP scanner |
| 176.65.148[.]239 | IP | JDWP scanner |
| 185.208.156[.]247:3333 | IP | Mining Pool |
| 185.196.8[.]41 | IP | Mining Pool |
| https://awarmcorner[.]world | Domain | Payloads File Server |
| https://aheatcorner[.]world | Domain | Previous Payloads File Server |
| https://canonicalconnect[.]com | Domain | Payloads File Server |
| https://cozy[.]yachts | Domain | Previous Payloads File Server |
| https://s3.tebi[.]io/dhcpdc/o.sh | URL | Payload URL |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
