Security Intelligence

JexBoss Exploit Scan

Summary

Wapack Labs observed multiple attempts to exploit JBoss Application Servers using the JexBoss Exploit Tool staring in November of 2018.  Research into these incidents shows most of these scans originate in China.  In addition to scanning for JBoss, the scans attempt to exploit Tomcat management pages, PHP Weathermap, Microsoft Windows Server 2003 and Apache Hadoop YARN Resource Manager.  Wapack Labs provides details on Jexboss, the IP’s used to scan for…

Read more…

Virtual Chief Trust Officer (vCTO) Program

In a recent blog by Nitzan Daube, CTO of NanoLock¸ he provides an explanation regarding the importance of security focus on both IT hardware, physical security and cyber security consequences.  Wapack Labs agrees whole heartedly, and is providing solutions.

Wapack Labs participated in a recent lecture at the October 2018 ASIS Conference, held in Las Vegas NV.  Our joint lecture specifically addressed hardware compromise, adherence to physical security and the psychology of…

Read more…

Blockchain for the Supply Chain

The Air Force Institute of Technology[1] (AFIT) has releases free “Blockchain for Supply Chain” tools for supply chain professionals to learn about and use the power of block chain technology.  AFIT recently published a live blockchain application that can be accessed from any computer or smart phone, along with a complementary series of tutorial videos that presents blockchain simulation.  These videos can be used as a stand-alone…

Read more…

Cyber security professionals often get focused on dangers which appear inside their networks or within company messages, sometimes overlooking physical threats.  Laptops and devices routinely leave the confines of network cyber security parameters.  In this circumstance, a hacker can easily get physically next to a vulnerable laptop, which may permit firewall rules and DNS Security inoperable to a bad guy hacking into “your” laptop.…

Read more…

This report is an update to previous Wapack Labs postings regarding the SamSam malware.  US federal authorities are providing current information about the vulnerabilities and exploits used to deploy SamSam ransomware, also known as MSIL/Samas.A.  This malware was being deployed by cyber criminals Mohammad Mehdi Shah Mansouri and Faramarz Shahi Savandi.  On 26 November 2018, the District of New Jersey indicted Mansouri and Savandi for developing and deploying SamSam ransomware.  SamSam infects whole networks and encrypts victim data, allowing Mansouri and Savandi to demand considerable ransoms in Bitcoin in return for decryption keys.

Threat

The SamSam actors targeted a wide variety of sectors, including critical infrastructure, predominately in the US, but also in Europe and other parts of the world.  In providing essential functions, such organizations have a critical need to resume operations quickly and are more likely to pay large ransoms.  Network-wide infections against organizations are far more likely to garner large ransom payments than campaigns targeted at individuals.[1]

Technical Analysis

The actors exploit Windows servers to gain persistent access to a victim network and infect all reachable hosts.  In early 2016, victims reported the JexBoss Exploit Kit was used to access vulnerable JBOSS applications.  Since mid-2016, analysis of victim machines indicates the perpetrators use the Remote Desktop Protocol (RDP) to gain persistent victim network access via brute force attacks or using stolen/purchased login credentials.  Using RDP for intrusion presents a challenge because the malware enters through an approved access point, thereby decreasing the likelihood of detection.  After gaining network access, the SamSam actors escalate privileges for administrator rights, drop malware onto the server, and run an executable file, all without victim action or authorization.  While many ransomware campaigns rely on a victim completing an action, such as opening an email or visiting a compromised website, RDP allows cyber actors to infect victims with minimal detection, which makes SamSam more dangerous.  Analysis of tools found on victim networks indicated the actors purchased several of the stolen RDP credentials from known Darknet marketplaces.  Analysis of victim access logs revealed the SamSam actors can infect a network within hours of purchasing the credentials.  During remediation, several victims found suspicious activity on their networks unrelated to SamSam, a possible indicator the victim’s credentials were stolen, sold on the Darknet, and used for other illegal activity.  SamSam actors leave ransom notes on encrypted computers, which instruct victims to establish contact through a TOR hidden service site.  After paying the ransom in Bitcoin and establishing contact, victims receive links to download cryptographic keys and tools to decrypt their network.

Recommended Mitigations

The following list includes self-protection strategies against MSIL/Samas.A ransomware campaigns:

  • Audit your network for systems using RDP for remote communication. Disable the service if unneeded or install available patches.  Users may need to work with their technology vendors to confirm that patches will not affect system processes.
  • Verify all cloud-based virtual machine instances, with a public IP, do not have open RDP ports, specifically port 3389, unless there is a valid business reason to do so. Place any system with an open RDP port behind a firewall and require users to use a Virtual Private Network (VPN) to access it through the firewall.
  • Enable strong passwords and account lockout policies to defend against brute-force attacks.
  • Apply two-factor authentication, where possible (important).
  • Apply system and software updates regularly.
  • Demand a good back-up strategy.
  • Enable logging and ensure logging mechanisms capture RDP logins. Keep logs for a minimum of 90 days and review them regularly to detect intrusion attempts.
  • When creating cloud-based virtual machines, adhere to the cloud provider's best practices for remote access.
  • Ensure third parties that require RDP access are required to follow internal policies on remote access.
  • Minimize network exposure for all control system devices. Where possible, critical devices should not have RDP enabled.
  • Regulate and limit external to internal RDP connections. When external access to internal resources is required, use secure methods such as VPNs, recognizing VPNs are only as secure as the connected devices.

For questions or comments regarding this report, please contact the Lab directly by at 844-4-WAPACK (1-844-492-7225), or feedback@wapacklabs.com

[1] FBI PIN 20181128-001

You need to be a member of Red Sky Alliance to add comments!

Join Red Sky Alliance