FOCUS MODE
EXTRACT IOC
Threat Research

Tomcat in the Crosshairs: New Research Reveals Ongoing Attacks

Aquasec
Tomcat in the Crosshairs: New Research Reveals Ongoing Attacks
Aqua Nautilus researchers have identified a new malware campaign that exploits Apache Tomcat servers, capable of hijacking resources for cryptocurrency mining. The attackers leverage encrypted payloads to establish backdoors, steal SSH credentials, and execute arbitrary code. Rapid exploitation was noted, taking just 30 hours to weaponize the vulnerability, indicating the urgency for organizations to secure their Tomcat instances. Affected: Apache Tomcat servers, Linux and Windows environments

Keypoints :

  • New attack campaign targets Apache Tomcat servers for resource hijacking.
  • Attackers exploit weak credentials via brute-force attempts on the Tomcat management console.
  • Successful compromise leads to uploading of encrypted payloads that establish backdoors.
  • Malware deploys disguised binaries for resource hijacking and cryptocurrency mining.
  • Aqua’s monitoring revealed rapid exploitation, with attackers leveraging known vulnerabilities.
  • Identification of potential links to a Chinese-speaking threat actor based on code snippets.
  • Multiple techniques observed to hide malicious activities and payloads.
  • Recommendations for patching vulnerabilities and implementing strict security measures.

MITRE Techniques :

  • T1189 – Drive-by Compromise: Exploits vulnerabilities in Tomcat servers to execute malicious payloads.
  • T1071 – Application Layer Protocol: Communicates with remote servers for payload binaries via HTTP and HTTPS.
  • T1069 – Permission Groups Discovery: Utilizes system commands to determine user privileges and permissions.
  • T1203 – Exploitation for Client Execution: Uploads malicious JavaServer Pages (JSP) files for persistent access.
  • T1036 – Masquerading: Hides the main payload as kernel processes to run undetected.

Indicator of Compromise :

    <li[IP Address] 209.141.37.95 (Attacker IP Tor Exit Router)

    <li[IP Address] 138.201.247.154 (Download server)

    <li[IP Address] 68.183.238.15 (Download server)

    <li[Domain] dbliker.top (Download server)

    <li[MD5] 8b3a077339cd75a313a531798852a352 (Malicious Java script – test.jsp)


Full Story: https://blog.aquasec.com/new-campaign-against-apache-tomcat

Tags: LINUX, PATCH, DISCOVERY, INITIAL ACCESS, CVE, LEARN, BACKDOOR, PASSWORD