Cybercriminals Hijack Servers in Brazen Cryptocurrency Mining Heist—Security on Notice
Hackers are turning corporate infrastructure into their personal crypto mint—and no server is safe. Here’s how they’re doing it.
The attack vector: Silent, scalable, and brutally efficient
Exploiting unpatched vulnerabilities, attackers deploy crypto-mining malware that drains computational resources—slowing networks to a crawl while lining their digital wallets. Unlike ransomware, these operations often go undetected for months.
Why it’s spreading: Low risk, high reward
With Bitcoin hovering near all-time highs, the incentive to steal processing power outweighs the fear of getting caught. Security teams are playing whack-a-mole against botnets that automatically bypass firewalls.
The finance jab: Wall Street still thinks crypto is ‘niche’ while hackers literally bank on it. Maybe time to update the PowerPoint decks, folks?
This isn’t just theft—it’s a parasitic redesign of enterprise IT economics. And until companies start treating server security like a revenue line item, the crypto jackers will keep winning.
Hackers weaponize exposed JDWP to carry out mining activities
The researchers observed the activity against their honeypot servers running TeamCity, a popular continuous integration and continuous delivery (CI/CD) tool. JDWP is a communication protocol used in Java for debugging. With the protocol, the debugger can be used to work on different processes, a Java application on the same computer, or a remote computer.
However, due to the fact that JDWP lacks an access control mechanism, exposing it to the internet can open up new attack vectors that hackers can abuse as an entry point to enable full control over the running Java process. To simplify it, the misconfiguration can be used to inject and execute arbitrary commands in order to set up persistence on and ultimately run malicious payloads.
“While JDWP is not enabled by default in most Java applications, it is commonly used in development and debugging environments,” the researchers said. “Many popular applications automatically start a JDWP server when run in debug mode, often without making the risks obvious to the developer. If improperly secured or left exposed, this can open the door to remote code execution (RCE) vulnerabilities.”
Some of the applications that may launch a JDWP server when in debug mode include TeamCity, Apache Tomcat, Spring Boot, Elasticsearch, Jenkins, and others. Data from GreyNoise showed that over 2,600 IP addresses have been scanned for JDWP endpoints in the last 24 hours, out of which 1,500 IP addresses are malicious and 1,100 are classified as suspicious. The report mentioned that most of these IP addresses originated from Hong Kong, Germany, the United States, Singapore, and China.
The researchers detail how the attacks are being carried out
In the attacks observed by the researchers, the hackers take advantage of the fact that the Java VIRTUAL Machine (JVM) listens for debugger connections on port 5005 to initiate scanning for open JDWP ports across the internet. After that, a JDWP-Handshake request is sent to confirm if the interface is active. Once it confirms that the service is exposed and interactive, the hackers move to execute a command to fetch, carrying out a dropper shell script that is expected to carry out a series of actions.
These series of actions include killing all competing miners or any high-CPU processes on the system, dropping a modified version of XMRig miner for the appropriate system architecture from an external server (“awarmcorner[.]world”) into “~/.config/logrotate”), establishing persistence by setting cron jobs to ensure that payload is re-fetched and re-executed after every shell login, reboot, or scheduled time interval, and delete itself on exit.
“Being open-source, XMRig offers attackers the convenience of easy customization, which in this case involved stripping out all command-line parsing logic and hardcoding the configuration,” the researchers said. “This tweak not only simplifies deployment but also allows the payload to mimic the original logrotate process more convincingly.”
This disclosure comes as NSFOCUS noted that a new and evolving Go-based malware named Hpingbot that has been targeting both Windows and Linux systems can launch a distributed denial-of-service (DDoS) attack using hping3.
KEY Difference Wire: the secret tool crypto projects use to get guaranteed media coverage
