Apache Tomcat, a widely used open-source server, provides support for Jakarta Servlet, Expression Language, and WebSocket technologies in a Java-based HTTP web server environment. It’s particularly popular among developers, with about 50% adoption rate, and plays a significant role in cloud services, big data, and web development.
However, a new threat has been identified by Aqua’s cybersecurity researchers: attackers are exploiting misconfigured Apache Tomcat servers to distribute Mirai botnet malware and cryptocurrency miners. Over two years, Aqua’s honeypots detected over 800 attacks on Tomcat servers, with 96% linked to the Mirai botnet.
The typical attack involves using the “neww” web shell script, originating from 24 different IP addresses. A brute force attack is launched against Tomcat servers to gain access to the web application manager using various credential combinations. Once inside, attackers deploy a WAR file containing ‘cmd.jsp’ web shell, allowing them to execute commands remotely and compromise the server.
The attack chain includes downloading and executing the “neww” script, which is later removed using the “rm -rf” command. This script downloads 12 binary files tailored to the system’s architecture. The WAR file, crucial for web applications, contains HTML, CSS, Servlets, and Classes, facilitating the deployment of the web app on compromised servers.
The final stage of the malware is a Mirai botnet variant, which uses infected hosts for DDoS attacks. The attackers infiltrate the web app manager with valid credentials, upload a disguised web shell in the WAR file, and execute commands remotely to initiate the attack.
With cryptocurrency mining’s growth (a 399% increase in attacks in the first half of 2023), the findings highlight the growing threat. To mitigate these attacks, cybersecurity analysts recommend proper configuration of environments, regular scans for threats, empowering teams with cloud-native vulnerability scanning tools, and using runtime detection and response solutions.