Security teams are being urged to harden Apache Tomcat instances after researchers discovered the popular Java application server was being exploited to spread Marai botnet malware.
Apache Tomcat is an open-source Java application server which, according to a recent survey, was the main application server used by just under half of the java teams questioned.
“These attacks exploited a misconfiguration of weak user and password [credentials] in order to drop a web shell that allowed remote code execution,” Nautilus security data analyst Nitzan Yaakov said in a July 26 blog post.
The researchers found 12 distinct web shells were used in the attacks. The most common attack type, which occurred 152 times, dropped a shell script called “neww”.
Yaakov did not discuss attribution of the attacks in here post but said the “neww” script originated from 24 unique IP addresses, with two-thirds of the attacks coming from a single address: 104.248.157[.]218.
Initial access via brute force attacks
The Nautilus researchers’ analysis established the threat actors were specifically targeting misconfigurations in the Tomcat web application manager app which allows users to manage deployed web applications.
“The list of authorized users who can access Tomcat resource is specified in the configuration file ‘tomcat_users.xml’. Threat actors are conducting brute force attacks on the manager app to guess the password,” Yaakov said.
The researchers observed an attack on one of their Tomcat honeypots set with the server’s default username and password credentials. The threat actors guessed the correct password on their third login attempt, giving them complete control over the server.
Tomcat’s web application manager allows users to deploy a directory or a WAR format archive file that packages and deploys web applications on the Java platform.
The WAR file contains all the files necessary to run a web application – including HTML, CSS and servlets – making it an efficient way to manage web application deployment.
Malware deployed using remote code execution
Yaakov said the threat actor used that functionality to deploy a WAR file containing a malicious web shell class named 'cmd.jsp'.
“Using a legitimate action via the manager app (i.e., upload a WAR file) as an attack vector allows the threat actor to masquerade the attack, making it difficult to detect,” she said.
“[T]he web shell was designed to listen to requests and execute commands on the server. Thereby, enabling the threat actor to remotely execute code on the Apache Tomcat server.”
Thefirst command was to download the “neww” shell script which executed the malware, a variant of the well-known Mirai botnet series.
“In our case, the host was infected with this malware, and based on our analysis of previous attacks and research, it appears that the threat actor intends to use this malware as a base for further attacks,” Yaakov said. “These attacks could range from relatively low-impact campaigns like cryptomining to more severe DDoS attacks.”
Dealing with evolving threats
The campaign was continuing, she said, with the threat actors continuously modifying and evolving their attacks to avoid detection.
“This is evident in the naming convention of the shell script responsible for downloading the Mirai malware, as well as the varied and different variants of the Mirai malware downloaded onto compromised machines.”
While almost all of the 803 attacks on Aqua’s honeypot servers dropped the Mirai payload, in a handful of cases the payload was a new version of Chaos malware including ransomware and DDoS variants.
Yaakov said Nautilus’ experiences with the Tomcat honeypots reinforced the importance of properly configuring and monitoring runtime environments.
“We observed how a misconfiguration exposed the server to attacks, potentially resulting in the infection of additional hosts within the same network.”
She urged administrators and security teams to use strong passwords and regularly scan their environments for threats.