New attack technique to hack Apache Tomcat Servers

This “pure Java” HTTP web server environment is provided by Apache Tomcat, which is a server that is both open-source and free to use. It supports technologies such as Jakarta Servlet, Expression Language, and WebSocket. Nearly half of all developers use Apache Tomcat, making it the clear leader. A new operation aimed at delivering malware from the Mirai botnet and bitcoin miners is focusing on Apache Tomcat servers that have been improperly configured and do not have enough security measures in place.

The research was conducted by Aqua, which found that over the course of two years, its Tomcat server honeypots were subjected to more than 800 attacks, 96% of which were connected to the Mirai botnet. The results may be attributed to Aqua. 20% of these attack attempts, or 152, included the usage of a web shell script termed “neww” that came from 24 different IP addresses, with 68% of them coming from a single IP address (104.248.157[.]218). These attacks were unsuccessful.

A brute force attack was carried out by the threat actor against the scanned Tomcat servers in order to acquire access to the web application management using a variety of different credential combinations.

After successfully gaining entrance, threat actors will install a WAR file containing a web shell called ‘cmd.jsp’ on the Tomcat server that has been hacked. This will allow for remote command execution.

The “downloading and running” of the “neww” shell script is an integral part of the whole attack chain. The “rm -rf” command is then used to remove the script once it has been executed. The software then retrieves 12 binary files that are customized to the architecture of the system that is being attacked.

While all of these components work together to expedite the web app deployment on compromised Tomcat servers in an effective manner.

The last step of the malware is a variation of the Mirai botnet that uses infected systems for the purpose of coordinating distributed denial-of-service (DDoS) assaults.

Threat actor infiltrates web app manager by using legitimate credentials, uploads disguised web shell in WAR file, remotely executes commands, and starts the attack.The statistics shed light on the profitable expansion of cryptocurrency mining, which is projected to have a 399% increase and 332 million cryptojacking assaults worldwide in H1 2023.

In order to protect against attacks of this kind, specialists in the field of cybersecurity suggested the following measures:

Make sure that each of your environments has the appropriate configuration.
Be careful to do regular scans of your servers to look for any dangers.
Cloud-native tools that scan for vulnerabilities and misconfigurations should be made available to your development, DevOps, and security teams so that they can better do their jobs.
It is imperative that you use runtime detection and response technologies.