Security personnel are being advised to strengthen Apache Tomcat instances after researchers found that the widely used Java application server was used to distribute Marai Botnet-related malware.
Apache Tomcat is an open-source Java application server that, in a survey conducted recently it was the primary application server utilized by less than half of Java teams asked.
“These attacks exploited a mistaken configuration of passwords and users that were weak [credentials] to download a web-based shell which allowed remote execution of codes,” Nautilus security data analyst Nitzan Yaakov stated in a blog posting.
Researchers found that 12 different web shells that were utilized during the attacks. The most popular type of attack that was used at 152 occasions, used a shell script dubbed “neww”.
Yaakov didn’t discuss the attribution of the attacks in his article, however he said that”neww,” the “neww” script was created from 24 IP addresses. It is believed that two-thirds of attacks coming from one IP address: 104.248.157[. ]218.
First access through brute for attacks
The Nautilus research team’s analysis revealed the actors who were threatening us had been focused on misconfigurations within the Tomcat web application manager software which lets users manage web applications that are deployed.
“The listing of the authorized users that have access to Tomcat resource can be found within the configuration files ‘tomcat_users.xml’. Attackers are using attack using brute force on the manager application to figure out the password” Yaakov said.
Researchers discovered an attack against one of their Tomcat honeypots that were set up with the default username of the server and password details. The attackers discovered the correct password after their third attempt at login and gained complete control of the server.
Tomcat’s web-based application manager enables users to set up an archive file in the form of a directory, or archive format in WAR that packs and puts online applications to Java. Java platform.
The WAR file includes every file required for running a web-based application comprising HTML, CSS and servlets – which makes it a great solution to oversee web app deployment.
Malware deployed using remote code execution
Yaakov stated that the threat actor utilized that capability to distribute an WAR file that contained the malicious web-based shell class called ‘cmd.jsp’.
“Using an action that is legitimately done via the manager application (i.e. uploading the WAR file) as a vector for attack lets the attacker disguise the attack and make it hard to identify,” she said.
“[T]he webshell was developed to receive requests and then execute commands to the server. This allows the actor in danger to execute commands remotely on Apache Tomcat. Apache Tomcat server.”
The first command was to download”neww” shell script “neww” Shell script that ran the malware, which is an incarnation of the renowned Mirai botnet.
“In our scenario our host was infected by the malware. Based from our study of past attacks as well as our research suggests that this threat-maker plans to utilize this malware to create a foundation to launch further attacks,” Yaakov said. “These attacks can be anything from low-impact attacks such as cryptomining, to more serious DDoS attack.”
Responding to evolving threat
The threat was not over as she explained, with the actors continually changing and reworking their tactics in order to escape being detected.
“This is apparent from the way in which we name the shell script used to download Mirai malware. Mirai malware along with the many variants and variations that the Mirai malware that are downloaded on compromised devices.”
The majority of attacks that targeted Aqua’s honeypot servers contained the Mirai payload but in a few cases, the payload was actually an updated version of the Chaos malware, which included ransomware as well as DDoS versions.
Yaakov stated that Nautilus’ experience with Tomcat honeypots underscored the need for properly managing and configuring runtime environments.
“We discovered that a configuration error made the server vulnerable to attack which could lead to the attack of other hosts in that same network.”
She advised administrators and security personnel to make secure passwords, and to regularly check their systems for any threats.
Source: https://www.scmagazine.com/news/unpatched-apache-tomcat-servers-spread-mirai-botnet-malware
+ There are no comments
Add yours