X-Industry

Introduction: 

Wapack Labs SOC identified JexBoss exploit attempts against an HVAC Controller, a NetScaler device, and the CEO of the company. This exploit is known to be a delivery mechanism of SamSam ransomware --and it would have been the second time this company would have suffered a large scale ramsomware attack.

Summary

Wapack Labs observed multiple attempts to exploit JBoss Application Servers using the JexBoss Exploit Tool staring in November of 2018.  Research into these incidents shows most of these scans originate in China.  In addition to scanning for JBoss, the scans attempt to exploit Tomcat management pages, PHP Weathermap, Microsoft Windows Server 2003 and Apache Hadoop YARN Resource Manager.  Wapack Labs provides details on Jexboss, the IP’s used to scan for exploits, and information on the additional frameworks targeted.

Background

JBoss is a division of Red Hat that provides support for the open source application server WildFly, known previously as JBoss AS (Application Server).  JexBoss is an exploit tool that allows attackers to generate exploits for vulnerabilities targeting servers using JBoss.[1]  JexBoss is written in Python and used to either verify or exploit Java deserialization vulnerabilities.  Serialization is the process of turning an object into a data format or byte stream that can be reversed later.

 

The exploits work on the JBoss Application Server versions 3 – 6 and attempts to exploit the following CVE’s and frameworks.

CVE

Framework

CVE-2015-5317

Jenkins CLI RCE

CVE-2016-3427

DNS gadget

CVE-2016-8735

Remote JMX

CVE-2017-5638

Apache Struts2 Jakarta Multipart parser

 

Delivery

The majority of IP’s responsible for the exploit scans were from Chinese ASN’s and a full list is provided in the Appendix of this report.  The following chart shows the location of the IP’s responsible for the exploit scanning collected from Wapack Labs clients and affiliates.

 

 

The majority of IP’s are from China and the following chart breaks down the Chinese ASN’s these IP’s belong to.

 

Research into the scanning activity shows the attackers scan to identify the installation of JBoss, PHP Webshells and phpMyAdmin.  In addition to attempting to map out PHP environments to exploit, the scans also attempt to identify Tomcat management pages, PHP Weathermap, Microsoft Windows Server 2003 and Apache Hadoop YARN Resource Manager.  A sample of the paths scanned to identify these frameworks is shown below:

Scan Exploit Paths

Vulnerability

/ws/v1/cluster/apps/new-application

Apache Hadoop Yarn ResourceManager Vulnerability

/manager/html

Tomcat Management page

/jexws3/jexws3.jsp?ppp=echo%20D3c3mb3r

Jboss probe

/jexws2/jexws2.jsp?ppp=echo%20D3c3mb3r

Jboss probe

/jexws4/jexws4.jsp?ppp=echo%20D3c3mb3r

Jboss probe

/jexinv/jexinv.jsp?ppp=echo%20D3c3mb3r

Jboss probe

/jexinv3/jexinv3.jsp?ppp=echo%20D3c3mb3r

Jboss probe

/jexinv4/jexinv4.jsp?ppp=echo%20D3c3mb3r

Jboss probe

/jbossass/jbossass.jsp?ppp=echo%20Hello%20D3c3mb3r

Jboss probe

/console/jspzxc.jsp?cmd=echo%20Hello%20D3c3mb3r

Jboss probe

/demo/404.jsp?bjh=echo%20Hello%20D3c3mb3r

Jboss probe

/jbws/jbws.jsp?eval=echo%20Hello%20D3c3mb3r

Jboss probe

/dread/lock.jsp?tezaz=echo%20Hello%20D3c3mb3r

Jboss probe

/HCEGH/xunfeng.jsp?comment=echo%20Hello%20D3c3mb3r

Jboss probe

/jvrx/cmd.jsp?pwd=everymorning&cmd=echo%20Hello%20D3c3mb3r

Jboss probe

/shellinvoker/shellinvoker.jsp?ppp=echo%20Hello%20D3c3mb3r

Jboss probe

/zecmd/zecmd.jsp?comment=echo%20Hello%20D3c3mb3r

Jboss probe

/index.php

phpMyAdmin

/phpmyadmin/index.php

phpMyAdmin

/phpmyadmin/scripts/setup.php

phpMyAdmin

/cacti/plugins/weathermap/editor.php

Weathermap

/plugins/weathermap/editor.php

Weathermap

/webdav/

WebDAV probe / CVE-2017-7269, Microsoft Windows Server 2003

 

This may indicate the attackers are using an attack framework similar to Metasploit, or running scans searching for multiple exploits. Webflow data shows that the scanning IP’s attempt anywhere from 150 to 330 probes per target.

When scanning for exploits the user-agent seen most often was “test”.

Some of the IPs identified scanning Wapack Labs clients were found scanning domains in the Wapack Labs sinkhole.  From this data, we identified the user-agents “jbosses” and “jexboss” in addition to “test”.  The sinkhole also identified PROPFIND requests made to http//localhost which may be an additional attempt to identify CVE-2017-7269 vulnerabilities targeting Microsoft Windows Server 2003 WebDAV service.

Malware

Wapack Labs collections identified a small percentage of the IP’s used in these scans are C2 for Zeus, Ramnit and Android malware from as early as 2012 through November of 2018. The following domains hosted by the scanning IP’s showed detections for phishing and malware delivery and should be blocked.

  • 34gm.com
  • 60millas.com
  • 9kb.info
  • achaberron.es
  • apartamentoslaregatina.com
  • asatech.com.vn
  • bet66.cc
  • blr508.com
  • bomao500.com
  • buscarasturias.com
  • ca88yazhoucheng.cc
  • camping-covadonga.com
  • casaamparotriana.com
  • casacapra.com
  • casamonterriundo.com
  • casonadelfraile.com
  • cnemoney.com
  • cq7z.cn
  • d2.freep.cn
  • d3.freep.cn
  • deboanalagoa.ddns.net
  • fuhutang.cc
  • gnagt.cn
  • hma5.com
  • hn8v.cn
  • hotelcardeo.com
  • hotelcardeo-asturias.com
  • hotlantrans.com
  • hzxscc.com
  • kartingpola.com
  • linebing.cn
  • linecd.cn
  • lineuj.cn
  • linexe.cn
  • marmoleriajunco.com
  • nava2000.com
  • nbp.seu.edu.cn
  • oa.cq7z.cn
  • pensionblanca.com
  • pic.caigoubao.cc
  • pulidoscaldevilla.com
  • raccoonit.com
  • restauranteeltiti.com
  • sctasturiana.com
  • sentinelboats.com
  • sun254.com
  • syc10.com
  • turismo-asturias.com
  • wap.cnddmh.com
  • wap.cnddmi.com
  • wap.cnddmk.com
  • wap.cnddmn.com
  • wap.cnddmo.com
  • xxooboy.cc
  • yspark.justdied.com
  • yymov.com
  • zyt-scholarship.com

The Wapack Labs botnet tracker shows some of the IP’s used in the exploit scans came into contact with the following botnet C2’s controllers which may indicate they are part of a larger botnet.

Attribution c2
betabot hxxp://hromofreah.top/cache/order.php
lokibot hxxp://life-is-beautiful.in/inc/Panel/five/fre.php
lokibot hxxp://191.101.31.97/admin/kc/five/fre.php
lokibot hxxp://life-is-beautiful.in/api/Panel/five/fre.php
proxyback hxxp://cartrestfound.com/car.php
proxyback hxxp://byperholl.com/ir.php
proxyback hxxp://semidethk.com/io.php
proxyback hxxp://indownfplex.com/vis.php
proxyback hxxp://indownfplex.com/flex.php
proxyback hxxp://semidethk.com/is.php
proxyback hxxp://hundedindi.com/ms.php
proxyback hxxp://cartrestfound.com/sh.php
proxyback hxxp://hiros9guild.biz/des.php
proxyback hxxp://hundedindi.com/sql.php
proxyback hxxp://byperholl.com/te.php
proxyback hxxp://hiros9guild.biz/ex.php
lokibot hxxp://194.187.249.82/done/bowe/fre.php
lokibot hxxp://muhtomas.co.id/SSL/Panel/five/fre.php
lokibot hxxp://winnersguy.ml/chibyke/fre.php
unknown_mobile_botnet+ports:20000-20002 74.207.241.132
lokibot hxxp://ebanbrown.dynamic-dns.net/mitch/fre.php
lokibot hxxp://alfachemllc.com/js/file/parsatla_arsatla/fre.php
lokibot hxxp://licenseha.ir/wp-admin/five/fre.php
smokeloader hxxp://anam0rph.su/in.php
ponyloader hxxp://gmgifts.co.uk/gate.php
nivdort hxxp://collegebecame.net/index.php
quant hxxp://proxy.cheesecakefactoryrestos5.com/proxy/index.php
treasurehunt hxxp://bricks.builders.cp-in-14.webhostbox.net/ghost_panel/gate.php
madness hxxp://itzjchan2.altervista.org/
bluebot hxxp://volambachkim.com/panel/target
bluebot hxxp://volambachkim.com/panel/proxy
bluebot hxxp://volambachkim.com/panel/botlogger.php
ponyloader hxxp://admin.mediachakra.com/gate.php
ramnit 45.55.36.236
kasidet hxxp://82.196.12.69/y/tasks.php
lokibot hxxp://longvedz.club/pode/gart/fre.php
lokibot hxxp://46.21.153.87/logs/done/fre.php
lokibot hxxp://omegasupplier.com/index/fre.php
smokeloader hxxp://ygiudewsqhct.in/in.php
solar hxxp://s.icab.pk/s/index.php
lokibot hxxp://backagain.cf/mine/fre.php
ponyloader hxxp://66bkuneu3hkgqpqf.onion.link/VXL1/gate.php
lokibot hxxp://www.duogai.net/wp-content/languages/twitters/fre.php

 

In one case the scanning IP is also a botnet controller as seen below.

  • 36.17.46/spicy/fre.php

Conclusion

With information shared between Wapack Labs, our clients and affiliates, analysts have better visibility into the nature of these exploit scans which are leveraging JexBoss.  Wapack Labs will continue to monitor exploit scans targeting users to provide information and early warnings on the vulnerabilities sought after by attackers.

Appendix A:

This is a list of IP’s preforming the exploit scans described in this report identified by Wapack Labs, clients and affiliates.

  • 111.230.225.187
  • 90.173.99.208
  • 117.102.115.45
  • 118.25.225.80
  • 123.207.68.247
  • 134.175.99.69
  • 111.230.52.108
  • 118.24.124.84
  • 114.116.81.23
  • 117.102.115.45
  • 148.70.106.105
  • 103.112.210.179
  • 132.232.224.155
  • 175.176.192.178
  • 140.143.165.103
  • 148.70.106.1
  • 1.214.219.196
  • 10.10.139.191
  • 103.56.115.211
  • 105.96.22.84
  • 114.118.85.164
  • 115.159.57.129
  • 116.193.154.142
  • 116.196.86.183
  • 117.50.69.76
  • 118.24.124.84
  • 118.24.82.40
  • 119.75.41.70
  • 121.163.187.55
  • 121.46.30.201
  • 13.79.159.31
  • 132.232.140.136
  • 132.232.16.249
  • 134.175.132.89
  • 134.175.134.150
  • 134.175.88.133
  • 148.70.101.35
  • 154.85.97.2
  • 154.85.99.103
  • 181.49.5.35
  • 188.131.138.195
  • 190.129.74.151
  • 192.186.23.25
  • 193.112.12.35
  • 193.112.40.110
  • 193.112.43.204
  • 193.112.86.81
  • 193.112.89.197
  • 193.227.20.55
  • 198.74.81.142
  • 198.74.81.52
  • 198.74.81.71
  • 198.74.89.31
  • 203.153.214.171
  • 212.129.136.186
  • 49.4.22.15
  • 58.87.115.217
  • 88.76.35.98
  • 93.50.79.38
  • 94.191.15.217
  • 94.191.17.242
  • 132.232.1.169
  • 123.254.110.243
  • 156.234.127.58
  • 106.12.99.111
  • 60.29.14.197
  • 58.215.76.25
  • 94.191.10.62
  • 120.31.136.230
  • 139.199.107.130
  • 139.199.67.82
  • 154.223.153.166
  • 103.104.106.136
  • 154.8.150.119
  • 103.255.179.146
  • 118.45.237.229
  • 119.1.160.85
  • 122.114.72.114
  • 114.115.129.191
  • 118.24.48.113
  • 45.40.254.224
  • 90.173.99.208
  • 134.175.12.253
  • 103.75.47.74
  • 134.175.12.86
  • 118.24.22.186
  • 103.100.60.15
  • 185.227.154.112
  • 122.142.75.55
  • 118.98.121.66
  • 72.32.209.144
  • 222.76.204.106
  • 104.233.232.49
  • 111.230.152.57
  • 118.24.93.16
  • 47.244.123.236
  • 119.29.41.87
  • 203.195.147.129
  • 41.223.49.173
  • 132.232.187.53
  • 134.175.99.69
  • 134.175.58.153
  • 43.229.38.171
  • 123.63.224.20
  • 211.65.63.192
  • 103.210.239.136
  • 111.230.134.96
  • 106.12.129.117
  • 132.232.159.51
  • 212.64.42.143
  • 42.51.16.108
  • 119.29.85.92
  • 114.115.131.50
  • 106.12.205.249
  • 43.240.28.46
  • 119.29.94.69
  • 114.116.36.222
  • 188.131.169.237
  • 167.179.72.22
  • 140.143.165.103
  • 27.118.28.230
  • 106.12.148.83
  • 14.18.141.201
  • 139.199.166.203
  • 118.32.127.213
  • 132.232.71.54
  • 118.89.34.18
  • 132.232.16.62
  • 200.98.200.147
  • 189.17.105.183
  • 139.199.104.191
  • 80.211.55.37
  • 103.254.111.230
  • 150.109.54.38
  • 219.144.130.208
  • 61.83.40.74
  • 94.191.35.39
  • 160.19.49.6
  • 96.95.223.81
  • 160.19.51.165
  • 132.232.37.105
  • 111.230.229.231
  • 182.61.13.50
  • 132.232.224.155
  • 45.40.252.56
  • 39.109.3.236
  • 118.25.218.68
  • 114.116.81.23
  • 110.77.211.212
  • 104.233.73.17
  • 114.236.138.234
  • 202.146.219.156
  • 193.112.222.52
  • 103.210.237.24
  • 188.131.157.195
  • 120.92.10.237
  • 210.21.52.38
  • 103.100.211.250
  • 154.8.183.74
  • 138.68.246.41
  • 103.86.67.250
  • 193.112.220.187
  • 117.50.55.23
  • 45.42.86.154
  • 132.232.183.81
  • 140.143.153.197
  • 121.169.127.8
  • 140.143.59.13
  • 139.199.28.123
  • 103.200.117.41
  • 103.14.38.14
  • 200.155.5.244
  • 193.112.160.70
  • 103.98.112.210
  • 139.199.175.155
  • 134.175.44.221
  • 60.250.120.84
  • 111.230.197.230
  • 118.24.122.13
  • 118.24.38.122
  • 132.232.135.73
  • 45.249.95.183
  • 74.221.202.35
  • 54.36.95.20
  • 118.24.26.150
  • 122.114.214.180
  • 154.8.139.66
  • 118.24.50.99
  • 45.42.85.138
  • 132.232.86.142
  • 134.175.91.239
  • 123.207.115.16
  • 43.240.248.82
  • 50.254.129.69
  • 118.24.94.89
  • 132.232.212.247
  • 193.112.96.25
  • 187.152.96.223
  • 45.125.35.173
  • 140.143.19.50
  • 116.89.241.220
  • 114.115.250.189
  • 119.29.54.156
  • 154.95.188.193
  • 114.116.15.48
  • 211.149.130.28
  • 123.207.68.247
  • 156.236.72.200
  • 118.24.239.135
  • 45.192.88.194
  • 140.143.3.146
  • 111.230.180.103
  • 119.28.85.203
  • 180.249.130.147
  • 212.129.144.156
  • 111.231.233.85
  • 119.197.20.155
  • 123.207.242.179
  • 69.165.73.82
  • 119.29.245.219
  • 156.236.64.177
  • 118.25.71.229
  • 103.229.183.178
  • 132.232.154.147
  • 202.53.138.101
  • 47.244.115.39
  • 134.175.116.51
  • 111.230.52.108
  • 132.232.193.63
  • 1.34.192.112
  • 221.239.27.252
  • 132.232.82.43
  • 185.242.161.86
  • 103.64.12.125
  • 61.75.35.114
  • 103.194.170.110
  • 119.29.209.151
  • 103.56.55.64
  • 61.186.172.178
  • 103.40.21.58
  • 45.40.245.150
  • 122.114.251.251
  • 193.112.19.214
  • 106.12.97.114
  • 150.109.62.4
  • 172.120.80.66
  • 203.195.150.228
  • 121.127.227.55
  • 119.1.96.157
  • 118.25.54.65
  • 103.254.111.139
  • 182.61.43.58
  • 211.149.235.17
  • 208.255.143.21
  • 103.238.225.76
  • 194.36.173.46
  • 40.80.152.70
  • 193.124.64.119
  • 193.112.191.53
  • 132.232.184.225
  • 119.28.71.130
  • 86.202.58.230
  • 37.238.128.77
  • 148.70.5.182
  • 23.224.2.138
  • 92.154.58.146
  • 150.107.0.102
  • 144.48.8.80
  • 111.230.11.212
  • 45.40.246.72
  • 203.195.171.15
  • 106.12.201.74
  • 114.116.67.224
  • 211.149.180.56
  • 103.87.8.166
  • 1.214.64.11
  • 182.61.165.82
  • 132.232.12.125
  • 103.92.24.240
  • 54.36.29.225
  • 43.251.104.135
  • 140.143.46.180
  • 150.129.40.247
  • 118.25.75.27
  • 132.232.3.176
  • 140.143.182.64
  • 154.48.225.29
  • 154.223.150.115
  • 103.233.249.122
  • 134.175.146.205
  • 212.64.0.114
  • 172.245.158.116
  • 106.12.198.175
  • 125.227.89.41
  • 134.175.143.238
  • 137.59.18.146
  • 192.200.215.90
  • 103.75.13.125
  • 91.98.31.132
  • 223.27.217.199
  • 103.217.227.113
  • 112.91.215.218
  • 119.29.175.32
  • 222.105.146.27
  • 45.41.89.178
  • 103.91.207.195
  • 220.133.202.244
  • 122.114.69.155
  • 222.223.239.200
  • 103.92.26.169
  • 119.15.87.107
  • 85.152.53.130
  • 156.236.102.169
  • 103.115.41.239
  • 94.178.97.126
  • 52.28.149.54
  • 103.89.85.14
  • 103.41.212.190
  • 132.232.41.115
  • 103.55.24.136
  • 90.187.114.229
  • 200.116.123.78
  • 139.199.87.17
  • 134.73.188.2
  • 156.236.64.57
  • 123.207.74.20
  • 103.48.168.87
  • 66.212.59.146
  • 211.149.224.192
  • 211.159.147.46
  • 49.4.89.86
  • 173.82.147.106
  • 122.114.158.135
  • 202.181.24.225
  • 94.191.21.15
  • 154.91.201.90
  • 61.172.174.186
  • 94.191.6.83
  • 154.66.198.77
  • 148.70.107.233
  • 42.51.34.160
  • 117.123.84.14
  • 112.29.236.135
  • 132.232.210.219
  • 43.255.118.112
  • 129.204.0.8
  • 136.243.231.57
  • 151.237.40.5
  • 103.208.35.244
  • 39.109.116.240
  • 211.149.222.124
  • 118.25.236.78
  • 39.109.122.171
  • 103.89.85.13
  • 140.115.126.235
  • 128.14.133.50
  • 142.252.20.34
  • 203.99.187.41
  • 189.90.7.244
  • 69.46.82.178
  • 94.191.39.125
  • 103.35.151.62
  • 103.214.140.144
  • 117.2.102.29
  • 219.234.4.91
  • 80.211.246.77
  • 211.149.174.105
  • 193.187.118.58
  • 103.72.166.142
  • 106.12.42.213
  • 58.64.173.214
  • 103.104.105.63
  • 111.231.93.135
  • 45.61.252.194
  • 118.131.117.124
  • 103.100.158.132
  • 86.124.151.17
  • 139.199.95.23
  • 119.148.160.21
  • 192.144.175.67
  • 114.116.76.241
  • 122.114.98.130
  • 115.126.36.126
  • 90.71.64.102
  • 195.9.141.100
  • 193.112.64.59
  • 211.149.179.152
  • 120.132.13.56

TIR-18-346-001_Indicators.csv 

 

 

[1] https://github.com/joaomatosf/jexboss

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!

Join Red Sky Alliance