Introduction:
Wapack Labs SOC identified JexBoss exploit attempts against an HVAC Controller, a NetScaler device, and the CEO of the company. This exploit is known to be a delivery mechanism of SamSam ransomware --and it would have been the second time this company would have suffered a large scale ramsomware attack.
Summary
Wapack Labs observed multiple attempts to exploit JBoss Application Servers using the JexBoss Exploit Tool staring in November of 2018. Research into these incidents shows most of these scans originate in China. In addition to scanning for JBoss, the scans attempt to exploit Tomcat management pages, PHP Weathermap, Microsoft Windows Server 2003 and Apache Hadoop YARN Resource Manager. Wapack Labs provides details on Jexboss, the IP’s used to scan for exploits, and information on the additional frameworks targeted.
Background
JBoss is a division of Red Hat that provides support for the open source application server WildFly, known previously as JBoss AS (Application Server). JexBoss is an exploit tool that allows attackers to generate exploits for vulnerabilities targeting servers using JBoss.[1] JexBoss is written in Python and used to either verify or exploit Java deserialization vulnerabilities. Serialization is the process of turning an object into a data format or byte stream that can be reversed later.
The exploits work on the JBoss Application Server versions 3 – 6 and attempts to exploit the following CVE’s and frameworks.
CVE |
Framework |
CVE-2015-5317 |
Jenkins CLI RCE |
CVE-2016-3427 |
DNS gadget |
CVE-2016-8735 |
Remote JMX |
CVE-2017-5638 |
Apache Struts2 Jakarta Multipart parser |
Delivery
The majority of IP’s responsible for the exploit scans were from Chinese ASN’s and a full list is provided in the Appendix of this report. The following chart shows the location of the IP’s responsible for the exploit scanning collected from Wapack Labs clients and affiliates.
The majority of IP’s are from China and the following chart breaks down the Chinese ASN’s these IP’s belong to.
Research into the scanning activity shows the attackers scan to identify the installation of JBoss, PHP Webshells and phpMyAdmin. In addition to attempting to map out PHP environments to exploit, the scans also attempt to identify Tomcat management pages, PHP Weathermap, Microsoft Windows Server 2003 and Apache Hadoop YARN Resource Manager. A sample of the paths scanned to identify these frameworks is shown below:
Scan Exploit Paths |
Vulnerability |
/ws/v1/cluster/apps/new-application |
Apache Hadoop Yarn ResourceManager Vulnerability |
/manager/html |
Tomcat Management page |
/jexws3/jexws3.jsp?ppp=echo%20D3c3mb3r |
Jboss probe |
/jexws2/jexws2.jsp?ppp=echo%20D3c3mb3r |
Jboss probe |
/jexws4/jexws4.jsp?ppp=echo%20D3c3mb3r |
Jboss probe |
/jexinv/jexinv.jsp?ppp=echo%20D3c3mb3r |
Jboss probe |
/jexinv3/jexinv3.jsp?ppp=echo%20D3c3mb3r |
Jboss probe |
/jexinv4/jexinv4.jsp?ppp=echo%20D3c3mb3r |
Jboss probe |
/jbossass/jbossass.jsp?ppp=echo%20Hello%20D3c3mb3r |
Jboss probe |
/console/jspzxc.jsp?cmd=echo%20Hello%20D3c3mb3r |
Jboss probe |
/demo/404.jsp?bjh=echo%20Hello%20D3c3mb3r |
Jboss probe |
/jbws/jbws.jsp?eval=echo%20Hello%20D3c3mb3r |
Jboss probe |
/dread/lock.jsp?tezaz=echo%20Hello%20D3c3mb3r |
Jboss probe |
/HCEGH/xunfeng.jsp?comment=echo%20Hello%20D3c3mb3r |
Jboss probe |
/jvrx/cmd.jsp?pwd=everymorning&cmd=echo%20Hello%20D3c3mb3r |
Jboss probe |
/shellinvoker/shellinvoker.jsp?ppp=echo%20Hello%20D3c3mb3r |
Jboss probe |
/zecmd/zecmd.jsp?comment=echo%20Hello%20D3c3mb3r |
Jboss probe |
/index.php |
phpMyAdmin |
/phpmyadmin/index.php |
phpMyAdmin |
/phpmyadmin/scripts/setup.php |
phpMyAdmin |
/cacti/plugins/weathermap/editor.php |
Weathermap |
/plugins/weathermap/editor.php |
Weathermap |
/webdav/ |
WebDAV probe / CVE-2017-7269, Microsoft Windows Server 2003 |
This may indicate the attackers are using an attack framework similar to Metasploit, or running scans searching for multiple exploits. Webflow data shows that the scanning IP’s attempt anywhere from 150 to 330 probes per target.
When scanning for exploits the user-agent seen most often was “test”.
Some of the IPs identified scanning Wapack Labs clients were found scanning domains in the Wapack Labs sinkhole. From this data, we identified the user-agents “jbosses” and “jexboss” in addition to “test”. The sinkhole also identified PROPFIND requests made to http//localhost which may be an additional attempt to identify CVE-2017-7269 vulnerabilities targeting Microsoft Windows Server 2003 WebDAV service.
Malware
Wapack Labs collections identified a small percentage of the IP’s used in these scans are C2 for Zeus, Ramnit and Android malware from as early as 2012 through November of 2018. The following domains hosted by the scanning IP’s showed detections for phishing and malware delivery and should be blocked.
- 34gm.com
- 60millas.com
- 9kb.info
- achaberron.es
- apartamentoslaregatina.com
- asatech.com.vn
- bet66.cc
- blr508.com
- bomao500.com
- buscarasturias.com
- ca88yazhoucheng.cc
- camping-covadonga.com
- casaamparotriana.com
- casacapra.com
- casamonterriundo.com
- casonadelfraile.com
- cnemoney.com
- cq7z.cn
- d2.freep.cn
- d3.freep.cn
- deboanalagoa.ddns.net
- fuhutang.cc
- gnagt.cn
- hma5.com
- hn8v.cn
- hotelcardeo.com
- hotelcardeo-asturias.com
- hotlantrans.com
- hzxscc.com
- kartingpola.com
- linebing.cn
- linecd.cn
- lineuj.cn
- linexe.cn
- marmoleriajunco.com
- nava2000.com
- nbp.seu.edu.cn
- oa.cq7z.cn
- pensionblanca.com
- pic.caigoubao.cc
- pulidoscaldevilla.com
- raccoonit.com
- restauranteeltiti.com
- sctasturiana.com
- sentinelboats.com
- sun254.com
- syc10.com
- turismo-asturias.com
- wap.cnddmh.com
- wap.cnddmi.com
- wap.cnddmk.com
- wap.cnddmn.com
- wap.cnddmo.com
- xxooboy.cc
- yspark.justdied.com
- yymov.com
- zyt-scholarship.com
The Wapack Labs botnet tracker shows some of the IP’s used in the exploit scans came into contact with the following botnet C2’s controllers which may indicate they are part of a larger botnet.
Attribution | c2 |
betabot | hxxp://hromofreah.top/cache/order.php |
lokibot | hxxp://life-is-beautiful.in/inc/Panel/five/fre.php |
lokibot | hxxp://191.101.31.97/admin/kc/five/fre.php |
lokibot | hxxp://life-is-beautiful.in/api/Panel/five/fre.php |
proxyback | hxxp://cartrestfound.com/car.php |
proxyback | hxxp://byperholl.com/ir.php |
proxyback | hxxp://semidethk.com/io.php |
proxyback | hxxp://indownfplex.com/vis.php |
proxyback | hxxp://indownfplex.com/flex.php |
proxyback | hxxp://semidethk.com/is.php |
proxyback | hxxp://hundedindi.com/ms.php |
proxyback | hxxp://cartrestfound.com/sh.php |
proxyback | hxxp://hiros9guild.biz/des.php |
proxyback | hxxp://hundedindi.com/sql.php |
proxyback | hxxp://byperholl.com/te.php |
proxyback | hxxp://hiros9guild.biz/ex.php |
lokibot | hxxp://194.187.249.82/done/bowe/fre.php |
lokibot | hxxp://muhtomas.co.id/SSL/Panel/five/fre.php |
lokibot | hxxp://winnersguy.ml/chibyke/fre.php |
unknown_mobile_botnet+ports:20000-20002 | 74.207.241.132 |
lokibot | hxxp://ebanbrown.dynamic-dns.net/mitch/fre.php |
lokibot | hxxp://alfachemllc.com/js/file/parsatla_arsatla/fre.php |
lokibot | hxxp://licenseha.ir/wp-admin/five/fre.php |
smokeloader | hxxp://anam0rph.su/in.php |
ponyloader | hxxp://gmgifts.co.uk/gate.php |
nivdort | hxxp://collegebecame.net/index.php |
quant | hxxp://proxy.cheesecakefactoryrestos5.com/proxy/index.php |
treasurehunt | hxxp://bricks.builders.cp-in-14.webhostbox.net/ghost_panel/gate.php |
madness | hxxp://itzjchan2.altervista.org/ |
bluebot | hxxp://volambachkim.com/panel/target |
bluebot | hxxp://volambachkim.com/panel/proxy |
bluebot | hxxp://volambachkim.com/panel/botlogger.php |
ponyloader | hxxp://admin.mediachakra.com/gate.php |
ramnit | 45.55.36.236 |
kasidet | hxxp://82.196.12.69/y/tasks.php |
lokibot | hxxp://longvedz.club/pode/gart/fre.php |
lokibot | hxxp://46.21.153.87/logs/done/fre.php |
lokibot | hxxp://omegasupplier.com/index/fre.php |
smokeloader | hxxp://ygiudewsqhct.in/in.php |
solar | hxxp://s.icab.pk/s/index.php |
lokibot | hxxp://backagain.cf/mine/fre.php |
ponyloader | hxxp://66bkuneu3hkgqpqf.onion.link/VXL1/gate.php |
lokibot | hxxp://www.duogai.net/wp-content/languages/twitters/fre.php |
In one case the scanning IP is also a botnet controller as seen below.
- 36.17.46/spicy/fre.php
Conclusion
With information shared between Wapack Labs, our clients and affiliates, analysts have better visibility into the nature of these exploit scans which are leveraging JexBoss. Wapack Labs will continue to monitor exploit scans targeting users to provide information and early warnings on the vulnerabilities sought after by attackers.
Appendix A:
This is a list of IP’s preforming the exploit scans described in this report identified by Wapack Labs, clients and affiliates.
- 111.230.225.187
- 90.173.99.208
- 117.102.115.45
- 118.25.225.80
- 123.207.68.247
- 134.175.99.69
- 111.230.52.108
- 118.24.124.84
- 114.116.81.23
- 117.102.115.45
- 148.70.106.105
- 103.112.210.179
- 132.232.224.155
- 175.176.192.178
- 140.143.165.103
- 148.70.106.1
- 1.214.219.196
- 10.10.139.191
- 103.56.115.211
- 105.96.22.84
- 114.118.85.164
- 115.159.57.129
- 116.193.154.142
- 116.196.86.183
- 117.50.69.76
- 118.24.124.84
- 118.24.82.40
- 119.75.41.70
- 121.163.187.55
- 121.46.30.201
- 13.79.159.31
- 132.232.140.136
- 132.232.16.249
- 134.175.132.89
- 134.175.134.150
- 134.175.88.133
- 148.70.101.35
- 154.85.97.2
- 154.85.99.103
- 181.49.5.35
- 188.131.138.195
- 190.129.74.151
- 192.186.23.25
- 193.112.12.35
- 193.112.40.110
- 193.112.43.204
- 193.112.86.81
- 193.112.89.197
- 193.227.20.55
- 198.74.81.142
- 198.74.81.52
- 198.74.81.71
- 198.74.89.31
- 203.153.214.171
- 212.129.136.186
- 49.4.22.15
- 58.87.115.217
- 88.76.35.98
- 93.50.79.38
- 94.191.15.217
- 94.191.17.242
- 132.232.1.169
- 123.254.110.243
- 156.234.127.58
- 106.12.99.111
- 60.29.14.197
- 58.215.76.25
- 94.191.10.62
- 120.31.136.230
- 139.199.107.130
- 139.199.67.82
- 154.223.153.166
- 103.104.106.136
- 154.8.150.119
- 103.255.179.146
- 118.45.237.229
- 119.1.160.85
- 122.114.72.114
- 114.115.129.191
- 118.24.48.113
- 45.40.254.224
- 90.173.99.208
- 134.175.12.253
- 103.75.47.74
- 134.175.12.86
- 118.24.22.186
- 103.100.60.15
- 185.227.154.112
- 122.142.75.55
- 118.98.121.66
- 72.32.209.144
- 222.76.204.106
- 104.233.232.49
- 111.230.152.57
- 118.24.93.16
- 47.244.123.236
- 119.29.41.87
- 203.195.147.129
- 41.223.49.173
- 132.232.187.53
- 134.175.99.69
- 134.175.58.153
- 43.229.38.171
- 123.63.224.20
- 211.65.63.192
- 103.210.239.136
- 111.230.134.96
- 106.12.129.117
- 132.232.159.51
- 212.64.42.143
- 42.51.16.108
- 119.29.85.92
- 114.115.131.50
- 106.12.205.249
- 43.240.28.46
- 119.29.94.69
- 114.116.36.222
- 188.131.169.237
- 167.179.72.22
- 140.143.165.103
- 27.118.28.230
- 106.12.148.83
- 14.18.141.201
- 139.199.166.203
- 118.32.127.213
- 132.232.71.54
- 118.89.34.18
- 132.232.16.62
- 200.98.200.147
- 189.17.105.183
- 139.199.104.191
- 80.211.55.37
- 103.254.111.230
- 150.109.54.38
- 219.144.130.208
- 61.83.40.74
- 94.191.35.39
- 160.19.49.6
- 96.95.223.81
- 160.19.51.165
- 132.232.37.105
- 111.230.229.231
- 182.61.13.50
- 132.232.224.155
- 45.40.252.56
- 39.109.3.236
- 118.25.218.68
- 114.116.81.23
- 110.77.211.212
- 104.233.73.17
- 114.236.138.234
- 202.146.219.156
- 193.112.222.52
- 103.210.237.24
- 188.131.157.195
- 120.92.10.237
- 210.21.52.38
- 103.100.211.250
- 154.8.183.74
- 138.68.246.41
- 103.86.67.250
- 193.112.220.187
- 117.50.55.23
- 45.42.86.154
- 132.232.183.81
- 140.143.153.197
- 121.169.127.8
- 140.143.59.13
- 139.199.28.123
- 103.200.117.41
- 103.14.38.14
- 200.155.5.244
- 193.112.160.70
- 103.98.112.210
- 139.199.175.155
- 134.175.44.221
- 60.250.120.84
- 111.230.197.230
- 118.24.122.13
- 118.24.38.122
- 132.232.135.73
- 45.249.95.183
- 74.221.202.35
- 54.36.95.20
- 118.24.26.150
- 122.114.214.180
- 154.8.139.66
- 118.24.50.99
- 45.42.85.138
- 132.232.86.142
- 134.175.91.239
- 123.207.115.16
- 43.240.248.82
- 50.254.129.69
- 118.24.94.89
- 132.232.212.247
- 193.112.96.25
- 187.152.96.223
- 45.125.35.173
- 140.143.19.50
- 116.89.241.220
- 114.115.250.189
- 119.29.54.156
- 154.95.188.193
- 114.116.15.48
- 211.149.130.28
- 123.207.68.247
- 156.236.72.200
- 118.24.239.135
- 45.192.88.194
- 140.143.3.146
- 111.230.180.103
- 119.28.85.203
- 180.249.130.147
- 212.129.144.156
- 111.231.233.85
- 119.197.20.155
- 123.207.242.179
- 69.165.73.82
- 119.29.245.219
- 156.236.64.177
- 118.25.71.229
- 103.229.183.178
- 132.232.154.147
- 202.53.138.101
- 47.244.115.39
- 134.175.116.51
- 111.230.52.108
- 132.232.193.63
- 1.34.192.112
- 221.239.27.252
- 132.232.82.43
- 185.242.161.86
- 103.64.12.125
- 61.75.35.114
- 103.194.170.110
- 119.29.209.151
- 103.56.55.64
- 61.186.172.178
- 103.40.21.58
- 45.40.245.150
- 122.114.251.251
- 193.112.19.214
- 106.12.97.114
- 150.109.62.4
- 172.120.80.66
- 203.195.150.228
- 121.127.227.55
- 119.1.96.157
- 118.25.54.65
- 103.254.111.139
- 182.61.43.58
- 211.149.235.17
- 208.255.143.21
- 103.238.225.76
- 194.36.173.46
- 40.80.152.70
- 193.124.64.119
- 193.112.191.53
- 132.232.184.225
- 119.28.71.130
- 86.202.58.230
- 37.238.128.77
- 148.70.5.182
- 23.224.2.138
- 92.154.58.146
- 150.107.0.102
- 144.48.8.80
- 111.230.11.212
- 45.40.246.72
- 203.195.171.15
- 106.12.201.74
- 114.116.67.224
- 211.149.180.56
- 103.87.8.166
- 1.214.64.11
- 182.61.165.82
- 132.232.12.125
- 103.92.24.240
- 54.36.29.225
- 43.251.104.135
- 140.143.46.180
- 150.129.40.247
- 118.25.75.27
- 132.232.3.176
- 140.143.182.64
- 154.48.225.29
- 154.223.150.115
- 103.233.249.122
- 134.175.146.205
- 212.64.0.114
- 172.245.158.116
- 106.12.198.175
- 125.227.89.41
- 134.175.143.238
- 137.59.18.146
- 192.200.215.90
- 103.75.13.125
- 91.98.31.132
- 223.27.217.199
- 103.217.227.113
- 112.91.215.218
- 119.29.175.32
- 222.105.146.27
- 45.41.89.178
- 103.91.207.195
- 220.133.202.244
- 122.114.69.155
- 222.223.239.200
- 103.92.26.169
- 119.15.87.107
- 85.152.53.130
- 156.236.102.169
- 103.115.41.239
- 94.178.97.126
- 52.28.149.54
- 103.89.85.14
- 103.41.212.190
- 132.232.41.115
- 103.55.24.136
- 90.187.114.229
- 200.116.123.78
- 139.199.87.17
- 134.73.188.2
- 156.236.64.57
- 123.207.74.20
- 103.48.168.87
- 66.212.59.146
- 211.149.224.192
- 211.159.147.46
- 49.4.89.86
- 173.82.147.106
- 122.114.158.135
- 202.181.24.225
- 94.191.21.15
- 154.91.201.90
- 61.172.174.186
- 94.191.6.83
- 154.66.198.77
- 148.70.107.233
- 42.51.34.160
- 117.123.84.14
- 112.29.236.135
- 132.232.210.219
- 43.255.118.112
- 129.204.0.8
- 136.243.231.57
- 151.237.40.5
- 103.208.35.244
- 39.109.116.240
- 211.149.222.124
- 118.25.236.78
- 39.109.122.171
- 103.89.85.13
- 140.115.126.235
- 128.14.133.50
- 142.252.20.34
- 203.99.187.41
- 189.90.7.244
- 69.46.82.178
- 94.191.39.125
- 103.35.151.62
- 103.214.140.144
- 117.2.102.29
- 219.234.4.91
- 80.211.246.77
- 211.149.174.105
- 193.187.118.58
- 103.72.166.142
- 106.12.42.213
- 58.64.173.214
- 103.104.105.63
- 111.231.93.135
- 45.61.252.194
- 118.131.117.124
- 103.100.158.132
- 86.124.151.17
- 139.199.95.23
- 119.148.160.21
- 192.144.175.67
- 114.116.76.241
- 122.114.98.130
- 115.126.36.126
- 90.71.64.102
- 195.9.141.100
- 193.112.64.59
- 211.149.179.152
- 120.132.13.56
Comments