Threat actors are weaponizing exposed Java Debug Wire Protocol (JDWP) interfaces to obtain code execution capabilities and deploy cryptocurrency miners on compromised hosts. "The attacker used a modified version of XMRig with a hard-"coded configuration, allowing them to avoid suspicious command-line arguments that are often flagged by defenders," Wiz researchers Yaara Shriki and Gili Tikochinski said in a report published this week. "The payload used mining pool proxies to hide their cryptocurrency wallet address, thereby preventing investigators from pivoting on it." The cloud security firm, which is being acquired by Google Cloud, said it observed the activity against its honeypot servers running TeamCity, a popular continuous integration and continuous delivery (CI/CD) tool. JDWP is a communication protocol used in Java for debugging purposes. With JDWP, users can leverage a debugger to work in a different process, a Java application, on the same computer, or on a remote computer. But given that JDWP lacks authentication or access control mechanisms, exposing the service to the internet can open up a new attack vector that attackers can abuse as an entry point, enabling full control over the running Java process. Simply put, the misconfiguration can be utilized to inject and execute arbitrary commands in order to set up persistence on and ultimately run malicious payloads.