216.73.217.172

Exposed JDWP Exploited in the Wild: What Happens When Debug Ports Are Left Open

· Published 08/08/2025 17:08 · Modified 10/08/2025 21:51

Export JSON

Essential information

Published
08/08/2025 17:08
Modified
10/08/2025 21:51
Tags
2025-08-08 cryptomining debugging java jdwp persistence remote code execution teamcity xmrig
Related entities
17 observables, 2 techniques (mitre)

Description

A routine monitoring by researchers uncovered an exploitation attempt on a honeypot server running , a CI/CD tool. The attack exploited an exposed Debug Wire Protocol () interface, leading to , deployment of payload, and establishment of multiple mechanisms. The attack was notable for its rapid exploitation, use of a customized payload, and stealthy crypto-mining techniques. , designed for applications, becomes a high-risk entry point when exposed to the Internet without proper authentication. The attackers used a structured sequence to achieve , likely using a variant of -shellifier. They deployed a dropper script that installed an miner and set up various mechanisms including boot scripts, systemd services, cron jobs, and shell configuration files.

External references