CyberSecurityBoard
Sponsor Register Login

Hackers Exploiting Apache Tomcat Vulnerability to Steal SSH Credentials & Gain Server Control

The attack chain begins with brute-force attempts against Tomcat management consoles using commonly weak credentials, such as username “Tomcat” and password “123456” to gain initial access to vulnerable servers. Once compromised, the servers are quickly weaponized to steal SSH credentials, establish persistence, and hijack resources for cryptocurrency mining operations, demonstrating the attackers’ efficiency in leveraging newly discovered security flaws. A new sophisticated attack campaign targeting Apache Tomcat servers has emerged, with attackers deploying encrypted and encoded payloads designed to run on both Windows and Linux systems. After successfully guessing credentials on the Apache Tomcat management console, the attackers upload Java-based web shells that enable them to execute arbitrary code on the infected servers. Aquasec security researchers noted this campaign, dubbed “Tomcat Campaign 25′,” noting that the malware shows signs of being relatively new. Security researchers have discovered that it took just 30 hours for malicious actors to exploit a newly identified vulnerability in Apache Tomcat. The malware demonstrates advanced evasion capabilities, masquerading as legitimate kernel processes with names like “[cpuhp/0]” to avoid detection while optimizing CPU consumption for more efficient cryptocurrency mining operations. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. When visiting the malicious website users see what appears to be a standard “Page Not Found” error, while the actual malicious payload is concealed within the HTML code. Code snippets within the malware suggest possible connections to Chinese-speaking threat actors, though this could potentially be a misdirection technique employed by the attackers to obscure their true origin. The malware also deploys a cryptominer that connects to mining pools, effectively hijacking server resources as seen in Figure 1, which illustrates the complete attack flow. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. These web shells serve as backdoor loaders and establish persistence mechanisms that allow attackers to maintain access even after system reboots. Tushar is a Cyber security content editor with a passion for creating captivating and informative content.

This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 03 Apr 2025 13:15:19 +0000


Cyber News related to Hackers Exploiting Apache Tomcat Vulnerability to Steal SSH Credentials & Gain Server Control

New SSH-Snake Malware Abuses SSH Credentials - Threat actors abuse SSH credentials to gain unauthorized access to systems and networks. SSH credential abuse provides a stealthy entry point for threat actors to compromise and control the targeted systems. On January 4th, 2024, the Sysdig Threat ...
1 year ago Cybersecuritynews.com
CVE-2020-8022 - A Incorrect Default Permissions vulnerability in the packaging of tomcat on SUSE Enterprise Storage 5, SUSE Linux Enterprise Server 12-SP2-BCL, SUSE Linux Enterprise Server 12-SP2-LTSS, SUSE Linux Enterprise Server 12-SP3-BCL, SUSE Linux Enterprise ...
4 years ago
CVE-2021-36845 - Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities in YITH Maintenance Mode (WordPress plugin) versions < 1.3.8, there are 46 vulnerable parameters that were missed by the vendor while patching the 1.3.7 version to 1.3.8. ...
3 years ago
Hackers Exploiting Apache Tomcat Vulnerability to Steal SSH Credentials & Gain Server Control - The attack chain begins with brute-force attempts against Tomcat management consoles using commonly weak credentials, such as username “Tomcat” and password “123456” to gain initial access to vulnerable servers. Once ...
18 hours ago Cybersecuritynews.com
Hackers Attacking Linux SSH Servers to Deploy Scanner Malware - Hackers often target Linux SSH servers due to their widespread use in hosting critical services, and the following loopholes make them vulnerable, providing opportunities to hackers for unauthorized access and potential exploitation:-. Cybersecurity ...
1 year ago Gbhackers.com
CVE-2024-52308 - The GitHub CLI version 2.6.1 and earlier are vulnerable to remote code execution through a malicious codespace SSH server when using `gh codespace ssh` or `gh codespace logs` commands. This has been patched in the cli v2.62.0. Developers connect to ...
4 months ago Tenable.com
In a first, cryptographic keys protecting SSH connections stolen in new attack - For the first time, researchers have demonstrated that a large portion of cryptographic keys used to protect data in computer-to-server SSH traffic are vulnerable to complete compromise when naturally occurring computational errors occur while the ...
1 year ago Arstechnica.com
Critical RCE flaw in Apache Tomcat actively exploited in attacks - The attacker then sends a GET request with a JSESSIONID cookie pointing to the uploaded session file, forcing Tomcat to deserialize and execute the malicious Java code, granting complete control to the attacker. Tomcat users may also mitigate the ...
2 weeks ago Bleepingcomputer.com CVE-2025-24813
Credentials are Still King: Leaked Credentials, Data Breaches and Dark Web Markets - Infostealers infect computers, steal all of the credentials saved in the browser along with active session cookies and other data, then export it back to command and control infrastructure before, in some cases, self-terminating. This article will ...
1 year ago Bleepingcomputer.com
Careless oversight of Linux SSH servers draws cryptominers, DDoS bots - Cybercriminals are targeting poorly managed Linux SSH servers to install malware for cryptomining or carrying out distributed denial-of-service attacks, researchers have found. According to a report by AhnLab released this week, bad password ...
1 year ago Therecord.media
How Hackers Interrupted GTA 5 Online Gameplay on PC - Recently, a cyber-attack on Grand Theft Auto 5 Online on PC caused an interruption to thousands of players’ gameplays. The game was completely taken offline and players couldn’t even access the main gameplay menu. The attack caused an uproar ...
2 years ago Hackread.com
CVE-2023-48795 - The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client ...
4 months ago
North Korean Hackers Use Fake Job Offers & Salary Bumps as Lure for Crypto Theft - Recent investigations have uncovered a massive operation carried out by North Korean hackers looking to steal cryptocurrency through fake job offers and salary bumps. According to recent reports, hackers have been able to trace the malicious ...
2 years ago Therecord.media
CVE-2007-0228 - The DataCollector service in EIQ Networks Network Security Analyzer allows remote attackers to cause a denial of service (service crash) via a (1) &CONNECTSERVER& (2) &ADDENTRY& (3) &FIN& (4) &START& (5) ...
7 years ago
Critical Apache Tomcat RCE Vulnerability Exploited in Just 30hrs of Public Exploit - Wallarm security researchers have confirmed active exploitation attempts, warning that traditional security tools fail to detect these attacks because the PUT requests appear normal and malicious content is obfuscated using base64 encoding. The ...
2 weeks ago Cybersecuritynews.com CVE-2025-24813
Google links WinRAR exploitation to Russian, Chinese state hackers - Google says that several state-backed hacking groups have joined ongoing attacks exploiting a high-severity vulnerability in WinRAR, a compression software used by over 500 million users, aiming to gain arbitrary code execution on targets' systems. ...
1 year ago Bleepingcomputer.com CVE-2023-38831 CVE-2023-40477 APT28
Apache OFBiz RCE flaw exploited to find vulnerable Confluence servers - A critical Apache OFBiz pre-authentication remote code execution vulnerability is being actively exploited using public proof of concept exploits. Apache OFBiz is an open-source enterprise resource planning system many businesses use for e-commerce ...
1 year ago Bleepingcomputer.com CVE-2023-49070 CVE-2023-51467
CVE-2020-1938 - When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available ...
2 years ago
TellYouThePass ransomware joins Apache ActiveMQ RCE attacks - Internet-exposed Apache ActiveMQ servers are also targeted in TellYouThePass ransomware attacks targeting a critical remote code execution vulnerability previously exploited as a zero-day. The flaw, tracked as CVE-2023-46604, is a maximum severity ...
1 year ago Bleepingcomputer.com CVE-2023-46604
Holiday Hackers: How to Safeguard Your Service Desk - Hackers really don't take holidays, but they will take advantage of them. Many of these cyberattacks will zero in on the service or help desk to gain entry into network systems. Recovering accounts because of forgotten passwords is one of the ...
1 year ago Bleepingcomputer.com
CVE-2023-28436 - Tailscale is software for using Wireguard and multi-factor authentication (MFA). A vulnerability identified in the implementation of Tailscale SSH starting in version 1.34.0 and prior to prior to 1.38.2 in FreeBSD allows commands to be run with a ...
2 years ago
Russian hackers exploiting Outlook bug to hijack Exchange accounts - Microsoft's Threat Intelligence team issued a warning earlier today about the Russian state-sponsored actor APT28 actively exploiting the CVE-2023-23397 Outlook flaw to hijack Microsoft Exchange accounts and steal sensitive information. The targeted ...
1 year ago Bleepingcomputer.com CVE-2023-23397 CVE-2023-38831 CVE-2021-40444 APT28
CVE-2024-56337 - Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97. The mitigation for CVE-2024-50379 was ...
3 months ago Tenable.com CVE-2024-50379
New Outlaw Linux Malware Leveraging SSH Brute-Forcing & Corn Jobs to Maintain Persistence - This malware has demonstrated remarkable longevity in the threat landscape by leveraging simple yet effective tactics such as SSH brute-forcing, strategic persistence mechanisms, and cryptocurrency mining operations to maintain a growing botnet of ...
1 day ago Cybersecuritynews.com
Wordfence Intelligence Weekly WordPress Vulnerability Report (September 23, 2024 to September 29, 2024) - Software Name Software Slug 012 Ps Multi Languages 012-ps-multi-languages ABC APP CREATOR abcapp-creator Absolute Reviews absolute-reviews Accordion accordions Ads by WPQuads – Adsense Ads, Banner Ads, Popup Ads quick-adsense-reloaded Advanced File ...
6 months ago Wordfence.com Slug

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)