A new Distributed Denial of Service (DDoS) campaign, named “Panamorfi,” operated by the threat actor yawixooo exploits misconfigured Jupyter notebooks exposed online.
The attackers deploy a publicly available Minecraft server DDoS tool to a Discord channel to perform the attack operation, with the aim of overwhelming target servers. Data practitioners such as data engineers, data analysts, and data scientists who rely on Jupyter notebook are thought to be the primary victims of such campaigns and should take special precaution.
The Anatomy of Panamorfi Attack
Researchers from Aqua Nautilus reported that the attack operation using an exposed honeypot Jupyter notebook targeted by yawixooo. They observed that the attack begins with the threat actor gaining initial access to internet-facing notebooks, then executing a command to download a zip file from a file-sharing platform:
wget https://filebin.net/archive/h4fhifnlykw224h9/zip
The zip file, with a random name and an MD5 hash of 42989a405c8d7c9cb68c323ae9a9a318, is approximately 17 MB in size and contains two Jar files. These files, conn.jar and mineping.jar, were both new to Virus Total and had only one detection for each file from a security company.
The ‘conn.jar’ file, which contains the initial execution code, utilizes Discord to control the DDoS attack. The victim’s machine connects to the specified Discord channel, loading the ‘mineping.jar’ file – a known Minecraft server DDoS tool available on GitHub that contains contains 12 java file to facilitate loading of http sockets, use of proxies, option to flood a victim, and the creation of connection-related details.
This tool is then employed to launch a TCP flood DDoS attack, aiming to consume the resources of the target server. The attackers have configured the tool to write the results to the Discord channel.
The threat actor yawixooo, has an active presence on GitHub, where they maintain a Minecraft server configuration and a website that is currently under construction.
Mitigation Against The Attack
The researchers were able to successfully halt the progression of the attack with a runtime policy blocks the file conn.jar from running. This de-facto kills the entire attack.
To defend against such campaigns:
- Restrict access to Jupyter notebooks through secure practices.
- Block the runtime of files associated with the campaign such as conn.jar and mineping.jar.
- Limit code execution
- Regularly update with the latest security patches available.
Security researchers have generally advised against the sharing of sensitive information or credentials on Jupyter notebooks which can be ripe targets for threat actor campaigns.