Panamorfi TCP Flood DDoS Attack Cripples Jupyter Notebooks

A new DDoS campaign, dubbed ‘Panamorfi’, leverages a repurposed Minecraft DDoS tool, mineping, to launch TCP flood attacks. Threat actors deploy this Java-based tool through misconfigured Jupyter notebooks, exploiting them as attack vectors. 

The importance of implementing robust DDoS mitigation strategies and securing Jupyter environments that are exposed to the internet is brought to light by this campaign. 

The zip file with a single detection

An attacker gained access through a honeypot Jupyter notebook and downloaded a new, malicious ZIP file (MD5: 42989a405c8d7c9cb68c323ae9a9a318), which contained two JAR files (conn.jar and mineping.jar) that also appeared new and were only flagged by ESET on VirusTotal. 

The analysis of conn.jar revealed that the attacker was using Discord to control a potential distributed denial of service attack; the JAR file connects to a Discord channel by using embedded credentials.   

The main function of connector jar

The threat actor, “yawixooo,” is utilizing the publicly available “mineping.jar” package to execute a TCP flood DDoS attack. The Java-based tool, originally designed for Minecraft servers, is repurposed to overwhelm target servers with a high volume of connection requests. 

The attack’s progress is monitored and reported via a Discord channel, with the attacker using the Panamorfi DDoS logo as a signature. The tool’s functionality includes HTTP socket loading, proxy usage, victim flooding, and random connection generation. 

The Panamorfi DDoS logo

The threat actor, known by the alias “yawixooo,” maintains a public GitHub profile with a Minecraft server configuration and a basic website that is still under development. 

While the available online footprint primarily suggests a casual user with gaming interests, it is essential to exercise caution, which may be a deliberate attempt to mask more nefarious activities. 

Comprehensive analysis is required to definitively link the GitHub profile to the malicious incident and uncover the actor’s true motivations and capabilities.

The GitHub profile of the threat actor

Aqua’s CNAPP addresses the critical security gap among data practitioners by detecting and remediating vulnerabilities within Jupyter notebooks and broader cloud-native environments. 

By recognizing the knowledge deficit in security practices, it provides a comprehensive solution to protect against misconfigurations and attacks, empowering data teams to focus on insights without compromising security. 

The runtime protection stopped a drift event by using advanced behavioral detection to find malicious runtime activity, which shows that runtime protection is an important part of cloud-native security that goes beyond managing vulnerabilities and fixing configuration mistakes. 

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here