Apache Tomcat Servers Targeted by Mirai Botnet Actors
Aqua has recently uncovered a concerning trend where Apache Tomcat servers that are misconfigured and poorly secured are becoming prime targets for a newly orchestrated campaign. This campaign is specifically designed to unleash the infamous Mirai botnet malware and cryptocurrency miners.
Over the span of two years, Aqua detected a staggering 800 attacks aimed at their Tomcat server honeypots. Shockingly, 96% of these attacks were directly linked to the notorious Mirai botnet.
The threat actors behind these attacks employed a web shell script named "neww" in 20% of their attempts (152 attacks in total). This script originated from 24 unique IP addresses, with a significant 68% originating from a single IP address (104.248.157[.]218).
The modus operandi of the attackers involved scanning for vulnerable Tomcat servers and subsequently launching brute force attacks to gain unauthorized access to the Tomcat web application manager. Their aim was to test various combinations of credentials associated with the manager until they found a successful entry point.
Web Shell Used on Compromised Servers
Once they gained access, the threat actors proceeded to deploy a WAR file containing a malicious web shell class known as 'cmd.jsp.' This web shell was cleverly designed to respond to remote requests, enabling the attackers to execute arbitrary commands on the compromised Tomcat server.
Among the commands executed was the download and execution of a shell script called "neww," which was promptly removed using the "rm -rf" Linux command to erase traces of the operation. Notably, this script included links to download 12 binary files, each tailored to suit the specific architecture of the targeted system.
In a final alarming twist, the malware employed in this campaign was a variant of the infamous Mirai botnet. This particular strain utilized the compromised hosts to launch distributed denial-of-service (DDoS) attacks, adding another layer of danger to the already menacing situation.
To carry out their attack, the threat actors made cunning use of the web application manager, uploading the web shell disguised as a WAR file. From there, they remotely executed commands, unleashing the devastating attack on the targeted servers.
It is crucial for server administrators to remain vigilant and ensure the proper configuration and security of their Apache Tomcat servers to thwart such malicious campaigns and protect against potential infiltration by the Mirai botnet or other forms of malware.
