Hackers Exploit Apache Tomcat Flaw to Hijack Servers and Steal SSH Credentials

A newly discovered attack campaign has exposed vulnerabilities in Apache Tomcat servers, allowing hackers to hijack resources and steal SSH credentials.

Researchers from Aqua Nautilus revealed that these attacks, which weaponized botnets within 30 hours of discovery, employ encrypted payloads and advanced persistence mechanisms to infiltrate systems running both Windows and Linux platforms.

The attackers initiate their campaign by brute-forcing weak credentials on the Tomcat management console using Python scripts.

Once access is gained, they upload malicious JavaServer Pages (JSP) files designed to establish backdoors and escalate privileges.

These scripts enable the execution of arbitrary Java code, leveraging AES encryption to decode payloads and load new classes dynamically.

The malware disguises itself as kernel processes to evade detection while exploiting system resources for cryptomining operations.

Malware Capabilities and Spread

The attack infrastructure deploys two primary web shells: one for backdoor creation and another for privilege escalation and persistence.

The first script decodes encrypted requests and executes arbitrary code, while the second script downloads additional payloads, including executable files for Windows systems or shell scripts for Linux environments.

These scripts also extract SSH keys from compromised machines, enabling lateral movement across networks.

The malware further complicates detection by employing anti-debugging techniques, memory mapping, and cloning processes under fake kernel process names such as “[cpuhp/0]” and “[kworker/R-rcu_p].”

It connects to cryptomining pools like gulf.moneroocean.stream to mine cryptocurrency in the background while maintaining persistence by copying itself across multiple directories.

Indicators of Compromise (IOCs)

Researchers at AquaSec identified several indicators of compromise associated with this campaign:

• IP Addresses: Attackers used IPs such as 209.141.37.95 and 138.201.247.154 for payload delivery.
• Domains: The domain “dbliker.top” hosted malicious scripts disguised behind fake 404 error pages.
• Files: Malicious JSP files (e.g., test.jsp, tomcat.jsp) and packed ELF binaries were used to execute the attack.

To defend against such attacks, organizations must prioritize patching critical vulnerabilities like CVE-2025-24813 in internet-facing applications such as Tomcat servers.

Additional measures include:

• Disabling unused services and management interfaces to reduce exposure.
• Implementing strict privilege management using Role-Based Access Control (RBAC).
• Isolating critical servers through network segmentation and firewalls to block outbound connections to cryptomining pools.
• Deploying runtime protection tools capable of detecting malware behavior and cryptominers in real-time.

This campaign highlights the urgency of securing workloads reliant on Apache Tomcat servers against emerging threats.

With hackers exploiting vulnerabilities at unprecedented speeds, organizations must adopt proactive measures, including patch management, privilege restrictions, and runtime security solutions, to safeguard their systems from sophisticated attacks targeting cloud-native environments.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!