Hackers Target Apache Tomcat Servers with Mirai Botnet Malware and Cryptocurrency Miners

Aqua has identified a new campaign that targets Apache Tomcat servers with weak security measures. The objective of this campaign is to distribute the Mirai botnet malware and cryptocurrency miners [4].


Aqua’s Tomcat server honeypots have recorded over 800 attacks, with 96% of these attacks being associated with the Mirai botnet. The threat actors behind these attacks employed brute force techniques to gain unauthorized access to the Tomcat web application manager. Once inside, they deployed a malicious web shell class named ‘cmd.jsp’ to execute arbitrary commands on the compromised server [1] [2] [3] [4]. Additionally, the attackers downloaded and executed a shell script called “neww,” which contained links to download 12 binary files tailored to the targeted system’s architecture [2]. The final stage malware used in this campaign is a variant of the Mirai botnet, which utilizes the compromised hosts to launch distributed denial-of-service (DDoS) attacks [2].


To protect against this campaign, organizations should prioritize securing their environments and practicing good credential hygiene [4]. Server administrators must remain vigilant [2], ensuring proper configuration and security measures to defend against such attacks. The impact of these attacks can be significant, as they can lead to unauthorized access, data breaches, and the utilization of compromised servers for malicious activities. It is crucial for organizations to take proactive steps to mitigate these risks and stay ahead of evolving threats.


[1] https://thehackernews.com/2023/07/hackers-target-apache-tomcat-servers.html
[2] https://www.cyclonis.com/apache-tomcat-servers-targeted-by-mirai-botnet-actors/
[3] https://vulners.com/thn/THN:82198D92A2721A19DD60317833463157
[4] https://infinityfact.net/hackers-goal-apache-tomcat-servers-for-mirai-botnet-and-crypto-mining/