A recent report by Wiz revealed a new strategy employed by hackers using vulnerable Java Debug Wire Protocol (JDWP) interfaces for executing crypto mining on compromised systems.
How hackers use JDWP for attacks
Researchers at Wiz found that hackers are exploiting open JDWP interfaces, allowing them to execute arbitrary code on compromised systems. JDWP is a protocol used in Java for debugging that can be activated during development. The core issue is the lack of access control mechanisms, making exposed interfaces vulnerable to attacks.
Methods of implementing crypto mining
After gaining code execution capabilities, hackers deploy crypto miners on the affected systems. Using a modified version of XMRig with a hard-coded configuration, they avoid suspicious command-line arguments. This technique conceals the attacker’s crypto wallet and disguises their actions.
Overview of attack and its consequences
Hackers utilize the Java Virtual Machine (JVM), which listens for debugger connections on port 5005, to scan for open JDWP ports across the internet. Data shows that over 2,600 IP addresses were scanned in the last 24 hours, of which 1,500 were classified as malicious. The primary sources of these IP addresses include Hong Kong, Germany, the United States, Singapore, and China.
The attacks exploiting JDWP vulnerabilities highlight the critical importance of securing systems against insecure configurations, particularly in development environments.
