"Hackers Target Apache Tomcat Servers for Mirai Botnet and Crypto Mining"

As part of a new campaign designed to deliver the Mirai botnet malware and cryptocurrency miners, misconfigured and inadequately secured Apache Tomcat servers are being targeted. Over 800 attacks were detected against Aqua's Tomcat server honeypots over a two-year period, with 96 percent of the attacks linked to the Mirai botnet. Twenty percent (or 152) of these attack attempts involved the use of a web shell script named "neww" that originated from 24 different IP addresses, with 68 percent of them coming from a single IP address (104.248.157[.]218). Nitzan Yaakov, a security researcher at Aqua, explained that the threat actor scanned for Tomcat servers and launched a brute force attack against them, attempting to obtain access to the Tomcat web application manager by entering different credential combinations. After establishing a foothold, threat actors have been observed deploying a WAR file containing a malicious web shell class designed to listen for remote requests and execute arbitrary commands on the Tomcat server. This article continues to discuss hackers targeting Apache Tomcat servers in a new campaign aimed at delivering the Mirai botnet malware and cryptocurrency miners.

THN reports "Hackers Target Apache Tomcat Servers for Mirai Botnet and Crypto Mining"