Security Intelligence

JexBoss Exploit Scan

Summary

Wapack Labs observed multiple attempts to exploit JBoss Application Servers using the JexBoss Exploit Tool staring in November of 2018.  Research into these incidents shows most of these scans originate in China.  In addition to scanning for JBoss, the scans attempt to exploit Tomcat management pages, PHP Weathermap, Microsoft Windows Server 2003 and Apache Hadoop YARN Resource Manager.  Wapack Labs provides details on Jexboss, the IP’s used to scan for…

Read more…

Virtual Chief Trust Officer (vCTO) Program

In a recent blog by Nitzan Daube, CTO of NanoLock¸ he provides an explanation regarding the importance of security focus on both IT hardware, physical security and cyber security consequences.  Wapack Labs agrees whole heartedly, and is providing solutions.

Wapack Labs participated in a recent lecture at the October 2018 ASIS Conference, held in Las Vegas NV.  Our joint lecture specifically addressed hardware compromise, adherence to physical security and the psychology of…

Read more…

Blockchain for the Supply Chain

The Air Force Institute of Technology[1] (AFIT) has releases free “Blockchain for Supply Chain” tools for supply chain professionals to learn about and use the power of block chain technology.  AFIT recently published a live blockchain application that can be accessed from any computer or smart phone, along with a complementary series of tutorial videos that presents blockchain simulation.  These videos can be used as a stand-alone…

Read more…

Cyber security professionals often get focused on dangers which appear inside their networks or within company messages, sometimes overlooking physical threats.  Laptops and devices routinely leave the confines of network cyber security parameters.  In this circumstance, a hacker can easily get physically next to a vulnerable laptop, which may permit firewall rules and DNS Security inoperable to a bad guy hacking into “your” laptop.…

Read more…

Wapack Labs SOC observed a new cryptominer worm attacking Oil and Gas industry targets in an automated/opportunistic event.  Two separate series of exploitation attempts happened on 02 and 05 October 2018.

Figure 1. 185.232.64.161 trying to run 185.10.68.163/worldwest.sh 

An unidentified actor was attempting to exploit Internet facing servers and oil and gas VIP home routers from two Romanian based IP addresses.  In an opportunistic event, the actor(s) were attempting to exploit any device running Java XML or Jenkins, as well as Dell Sonicwalls, MVPower DVRs, D-Link DSL2750B routers and Netgear DGN1000 Series routers.  Inspection of the packet revealed all the exploits referred to a common IP address, which appeared to be the command and control source and a shell script named “worldwest.sh”.  Opensource research on the shell script provided a research paper published by Juniper Networks on 27 September 2018 describing a new cryptomining worm using this script.  The worm first compromises the victim using any of the above exploits, then runs the WorldWest shell script.  That script then downloads and installs two other shell scripts; a Monero cryptocurrency miner, and a network scanner.  While the victim mines Monero, it also scans the network for other targets, and attempts to infect other devices using both brute force SSH attempts and the exploit kit.  An indicator CSV file is available to prepare a blacklist.

Indicators

Indicator

Type

Kill_Chain_Phase

First_Seen

Last_Seen

Comments

Attribution

185.232.64.32

IP

Exploitation

10/05/2018

10/05/2018

Recommend block

WorldWest

185.232.64.161

IP

Exploitation

10/02/2018

10/02/2018

Recommend block

WorldWest

185.10.68.163

IP

C2

9/19/2018

10/05/2018

Recommend block

WorldWest

http://185.10.68.163/worldwest.sh

URL

Exploitation

9/19/2018

10/05/2018

Recommend block

WorldWest

worldwest.sh

File

Exploitation

9/19/2018

10/05/2018

Recommend block

WorldWest

You need to be a member of Red Sky Alliance to add comments!

Join Red Sky Alliance

Email me when people reply –