Hackers Exploit Apache Tomcat Flaw to Steal SSH Credentials and Hijack Servers

Cybersecurity researchers at Aqua Nautilus have uncovered a new attack campaign leveraging vulnerabilities in Apache Tomcat servers.

Within just 30 hours of discovery, attackers weaponized the flaw to infiltrate systems, steal SSH credentials, and hijack server resources for cryptocurrency mining.

This campaign highlights the urgency of addressing critical vulnerabilities in widely used server technologies.

Attack Flow: Brute Force to Cryptomining

The attack begins with brute-force attempts targeting the Tomcat management console using a Python script to guess weak credentials, such as “Tomcat” and “123456.”

Once access is secured, attackers deploy malicious JavaServer Pages (JSP) files to establish backdoors and persistence mechanisms.

According to the Report, The first JSP file acts as a web shell, enabling dynamic code execution via encrypted payloads.

It uses AES encryption with a fixed key to decode and execute malicious Java classes.

The second JSP file escalates privileges and maintains persistence by copying itself to multiple directories within the server environment.

On Windows systems, it downloads and executes an .exe payload (os.s), while on Linux systems, it drops a shell script (w) for further exploitation.

These scripts are hosted on domains like dbliker.top, which masquerade as legitimate but conceal malicious payloads behind fake 404 error pages.

SSH Credential Theft and Lateral Movement

A more advanced script, ldr.sh, gathers local SSH keys and scans compromised networks for additional hosts to infect.

Using stolen credentials, attackers propagate malware across systems, further expanding their reach. The main payload a packed ELF binary is deployed for cryptomining operations.

This binary disguises itself as kernel processes (e.g., [cpuhp/0]), making detection challenging.

Upon execution, the malware exhibits anti-debugging behavior, memory mapping, and process cloning.

It connects to mining pools such as gulf.moneroocean.stream and auto.c3pool.org, optimizing CPU usage for cryptomining while deleting traces of its activity.

Indicators of Compromise (IOCs)

Key indicators include:

• Malicious JSP files (test.jsp, tomcat.jsp) with MD5 hashes linked to the attack.
• Packed ELF binaries used for cryptomining.
• Domains like dbliker.top hosting payloads.
• IP addresses associated with download servers (e.g., 138.201.247.154).

To defend against such attacks, organizations should:

1. Patch Vulnerabilities: Prioritize critical updates for internet-facing applications like Apache Tomcat.
2. Disable Unused Services: Restrict access to management interfaces such as Tomcat Manager.
3. Implement Privilege Management: Enforce Role-Based Access Control (RBAC) and limit root access.
4. Network Segmentation: Isolate critical servers from external networks and restrict outbound connections.
5. Deploy Runtime Protection: Utilize advanced anti-malware tools capable of detecting cryptomining behavior.

This attack underscores the importance of proactive security measures in protecting server environments from exploitation.

With attackers rapidly weaponizing vulnerabilities, real-time detection and mitigation strategies are crucial in safeguarding workloads against emerging threats like cryptomining malware campaigns targeting Apache Tomcat servers.

Find this Story Interesting! Follow us on LinkedIn, and X to Get More Instant Updates