Full Report
Researchers discovered an active exploitation of a misconfigured Open WebUI instance—a self-hosted interface for large language models (LLMs)—that was exposed to the internet with administrator access enabled and no authentication. A threat actor leveraged this misconfiguratio...
Analysis Summary
# Incident Report: Open WebUI Exploit Leading to Cryptojacking and System Compromise
## Executive Summary
Researchers discovered an active exploitation campaign targeting a publicly exposed, unauthenticated Open WebUI instance. A threat actor leveraged this severe misconfiguration to upload an obfuscated, AI-assisted Python script that deployed cryptominers (T-Rex, XMRig) and stealth tools across affected Linux and Windows systems. The incident resulted in resource hijacking through cryptojacking and the deployment of credential-stealing malware on Windows endpoints.
## Incident Details
- Discovery Date: Not explicitly stated (Implied prior to June 3, 2025, based on publication date)
- Incident Date: Active exploitation observed prior to June 3, 2025
- Affected Organization: Various organizations hosting vulnerable Open WebUI instances (No specific organization named)
- Sector: Technology/Cloud Services (Focus on LLM infrastructure)
- Geography: Global (Internet exposure)
## Timeline of Events
### Initial Access
- Date/Time: Prior to June 3, 2025
- Vector: Software misconfiguration and external exposure
- Details: Threat actors gained access to an Open WebUI instance exposed to the internet which had administrator access enabled without required authentication.
### Lateral Movement
- Linux: Persistence established via **systemd**.
- Windows: Secondary stage utilized a JDK installer to execute a remote JAR, leading to further payload deployment (Java-based loaders, DLLs).
### Data Exfiltration/Impact
- Impact: Resource hijacking via cryptojacking (XMRig, T-Rex deployment).
- Impact (Windows): Deployment of infostealers, credential theft, and system reconnaissance.
### Detection & Response
- Detection: Researchers identified the active exploitation.
- Response Actions: The article focuses on findings; specific organizational containment actions are not detailed, but the vulnerability was publicly disclosed.
## Attack Methodology
| Phase | Method |
| :--- | :--- |
| **Initial Access** | Exploitation of unauthenticated, internet-exposed Open WebUI instance. |
| **Persistence** | **Linux:** Established via **systemd** configurations. |
| **Privilege Escalation** | Exploiting the existing administrator access level through the misconfiguration. |
| **Defense Evasion** | Use of obfuscation (**base64 and zlib compression** via "pyklump"), deployment of compiled stealth tools (**processhider, argvhider**), and **sandbox evasion** on Windows. |
| **Credential Access** | Execution of secondary payloads on Windows performing credential theft. |
| **Discovery** | System reconnaissance executed on compromised Windows systems. |
| **Lateral Movement** | Movement to other systems via uploaded payloads that targeted Linux and Windows environments. |
| **Collection** | Gathering system information and credentials. |
| **Exfiltration** | C2 communication via **Discord webhook** for command and control; credentials/stolen data likely sent via this or other channels. |
| **Impact** | Resource hijacking (cryptojacking) and secondary malware deployment. |
## Impact Assessment
- Financial: Inferred costs associated with cloud resource overuse due to cryptojacking.
- Data Breach: Credentials and sensitive system data compromised on Windows hosts targeted by secondary payloads.
- Operational: Disruption due to performance degradation from cryptomining activities and potential systems instability.
- Reputational: Potential reputational damage for organizations hosting vulnerable, exposed LLM interfaces.
## Indicators of Compromise
- **Network Indicators (Defanged):** Remote IP address used to host the malicious JAR payload on Windows secondary stage.
- **File Indicators:** Obfuscated Python script ("pyklump"), T-Rex cryptominer, XMRig cryptominer, processhider, argvhider, malicious JAR files, and associated DLLs.
- **Behavioral Indicators:** Cryptominer process execution, systemd service modification, outbound connections to Discord webhook for C2.
## Response Actions
- Containment measures (Inferred): Immediate isolation or shutdown of the exposed Open WebUI instance.
- Eradication steps (Inferred): Removal of all deployed cryptominers, stealth tools, persistence mechanisms (systemd entries), and secondary stage malware from Linux and Windows systems.
- Recovery actions: Auditing all endpoints for signs of deeper compromise and reviewing administrative access controls.
## Lessons Learned
- **Criticality of Authentication:** Any administrative interface exposed to the internet, especially for specialized tools like LLM interfaces, must enforce robust, multi-factor authentication.
- **Supply Chain Risk (AI-Assisted Attacks):** The use of AI to generate obfuscated payloads ("pyklump") demonstrates an evolving threat landscape where traditional static analysis may be less effective.
- **Default Configuration Danger:** Leaving default high-privilege access enabled on internet-facing services is an invitation for automated compromise.
## Recommendations
- Immediately disable internet-facing access to all administrative interfaces (Open WebUI, APIs, etc.) unless strictly necessary.
- If internet exposure is required, enforce strong, MFA-protected access controls via VPNs or secure gateways (WAF).
- Regularly audit third-party plugin systems for malicious code insertion vectors.
- Implement comprehensive endpoint detection and response (EDR) capable of detecting polymorphic or obfuscated scripts and unexpected process behavior (e.g., deployment of cryptominers).