Hackers Exploit Java Debug Wire Protocol Servers to Deploy Cryptomining Payloads

A sophisticated cyberattack targeting unsecured Java Debug Wire Protocol (JDWP) interfaces on honeypot servers running TeamCity, a popular CI/CD application, has been discovered, according to a startling disclosure from the Wiz Research Team.

The team observed that within mere hours of exposing a vulnerable machine, attackers exploited the JDWP interface to achieve remote code execution (RCE).

Rapid Exploitation of JDWP Vulnerabilities

This alarming speed of exploitation, seen across multiple instances, underscores the high-priority status of JDWP as a target for cybercriminals.

Using tools like GreyNoise, researchers identified over 6,000 unique IP addresses scanning for JDWP endpoints in the past 90 days, highlighting the scale and urgency of this threat.

The attack flow began with a scan for open JDWP ports, quickly followed by a handshake to confirm the interface’s availability on port 5005.

Once established, the attacker leveraged JDWP’s lack of default authentication to ...