JexBoss Exploit Scans Target Home and Office

Introduction:

Wapack Labs SOC identified JexBoss exploit attempts against an HVAC Controller, a NetScaler device, and the CEO of the company. This exploit is known to be a delivery mechanism of SamSam ransomware --and it would have been the second time this company would have suffered a large scale ramsomware attack.

Summary

Wapack Labs observed multiple attempts to exploit JBoss Application Servers using the JexBoss Exploit Tool staring in November of 2018. Research into these incidents shows most of these scans originate in China. In addition to scanning for JBoss, the scans attempt to exploit Tomcat management pages, PHP Weathermap, Microsoft Windows Server 2003 and Apache Hadoop YARN Resource Manager. Wapack Labs provides details on Jexboss, the IP’s used to scan for exploits, and information on the additional frameworks targeted.

Background

JBoss is a division of Red Hat that provides support for the open source application server WildFly, known previously as JBoss AS (Application Server). JexBoss is an exploit tool that allows attackers to generate exploits for vulnerabilities targeting servers using JBoss.[1] JexBoss is written in Python and used to either verify or exploit Java deserialization vulnerabilities. Serialization is the process of turning an object into a data format or byte stream that can be reversed later.

The exploits work on the JBoss Application Server versions 3 – 6 and attempts to exploit the following CVE’s and frameworks.

CVE	Framework
CVE-2015-5317	Jenkins CLI RCE
CVE-2016-3427	DNS gadget
CVE-2016-8735	Remote JMX
CVE-2017-5638	Apache Struts2 Jakarta Multipart parser

Delivery

The majority of IP’s responsible for the exploit scans were from Chinese ASN’s and a full list is provided in the Appendix of this report. The following chart shows the location of the IP’s responsible for the exploit scanning collected from Wapack Labs clients and affiliates.

The majority of IP’s are from China and the following chart breaks down the Chinese ASN’s these IP’s belong to.

Research into the scanning activity shows the attackers scan to identify the installation of JBoss, PHP Webshells and phpMyAdmin. In addition to attempting to map out PHP environments to exploit, the scans also attempt to identify Tomcat management pages, PHP Weathermap, Microsoft Windows Server 2003 and Apache Hadoop YARN Resource Manager. A sample of the paths scanned to identify these frameworks is shown below:

Scan Exploit Paths	Vulnerability
/ws/v1/cluster/apps/new-application	Apache Hadoop Yarn ResourceManager Vulnerability
/manager/html	Tomcat Management page
/jexws3/jexws3.jsp?ppp=echo%20D3c3mb3r	Jboss probe
/jexws2/jexws2.jsp?ppp=echo%20D3c3mb3r	Jboss probe
/jexws4/jexws4.jsp?ppp=echo%20D3c3mb3r	Jboss probe
/jexinv/jexinv.jsp?ppp=echo%20D3c3mb3r	Jboss probe
/jexinv3/jexinv3.jsp?ppp=echo%20D3c3mb3r	Jboss probe
/jexinv4/jexinv4.jsp?ppp=echo%20D3c3mb3r	Jboss probe
/jbossass/jbossass.jsp?ppp=echo%20Hello%20D3c3mb3r	Jboss probe
/console/jspzxc.jsp?cmd=echo%20Hello%20D3c3mb3r	Jboss probe
/demo/404.jsp?bjh=echo%20Hello%20D3c3mb3r	Jboss probe
/jbws/jbws.jsp?eval=echo%20Hello%20D3c3mb3r	Jboss probe
/dread/lock.jsp?tezaz=echo%20Hello%20D3c3mb3r	Jboss probe
/HCEGH/xunfeng.jsp?comment=echo%20Hello%20D3c3mb3r	Jboss probe
/jvrx/cmd.jsp?pwd=everymorning&cmd=echo%20Hello%20D3c3mb3r	Jboss probe
/shellinvoker/shellinvoker.jsp?ppp=echo%20Hello%20D3c3mb3r	Jboss probe
/zecmd/zecmd.jsp?comment=echo%20Hello%20D3c3mb3r	Jboss probe
/index.php	phpMyAdmin
/phpmyadmin/index.php	phpMyAdmin
/phpmyadmin/scripts/setup.php	phpMyAdmin
/cacti/plugins/weathermap/editor.php	Weathermap
/plugins/weathermap/editor.php	Weathermap
/webdav/	WebDAV probe / CVE-2017-7269, Microsoft Windows Server 2003

This may indicate the attackers are using an attack framework similar to Metasploit, or running scans searching for multiple exploits. Webflow data shows that the scanning IP’s attempt anywhere from 150 to 330 probes per target.

When scanning for exploits the user-agent seen most often was “test”.

Some of the IPs identified scanning Wapack Labs clients were found scanning domains in the Wapack Labs sinkhole. From this data, we identified the user-agents “jbosses” and “jexboss” in addition to “test”. The sinkhole also identified PROPFIND requests made to http//localhost which may be an additional attempt to identify CVE-2017-7269 vulnerabilities targeting Microsoft Windows Server 2003 WebDAV service.

Malware

Wapack Labs collections identified a small percentage of the IP’s used in these scans are C2 for Zeus, Ramnit and Android malware from as early as 2012 through November of 2018. The following domains hosted by the scanning IP’s showed detections for phishing and malware delivery and should be blocked.

34gm.com
60millas.com
9kb.info
achaberron.es
apartamentoslaregatina.com
asatech.com.vn
bet66.cc
blr508.com
bomao500.com
buscarasturias.com
ca88yazhoucheng.cc
camping-covadonga.com
casaamparotriana.com
casacapra.com
casamonterriundo.com
casonadelfraile.com
cnemoney.com
cq7z.cn
d2.freep.cn
d3.freep.cn
deboanalagoa.ddns.net
fuhutang.cc
gnagt.cn
hma5.com
hn8v.cn
hotelcardeo.com
hotelcardeo-asturias.com
hotlantrans.com
hzxscc.com
kartingpola.com
linebing.cn
linecd.cn
lineuj.cn
linexe.cn
marmoleriajunco.com
nava2000.com
nbp.seu.edu.cn
oa.cq7z.cn
pensionblanca.com
pic.caigoubao.cc
pulidoscaldevilla.com
raccoonit.com
restauranteeltiti.com
sctasturiana.com
sentinelboats.com
sun254.com
syc10.com
turismo-asturias.com
wap.cnddmh.com
wap.cnddmi.com
wap.cnddmk.com
wap.cnddmn.com
wap.cnddmo.com
xxooboy.cc
yspark.justdied.com
yymov.com
zyt-scholarship.com

The Wapack Labs botnet tracker shows some of the IP’s used in the exploit scans came into contact with the following botnet C2’s controllers which may indicate they are part of a larger botnet.

Attribution	c2
betabot	hxxp://hromofreah.top/cache/order.php
lokibot	hxxp://life-is-beautiful.in/inc/Panel/five/fre.php
lokibot	hxxp://191.101.31.97/admin/kc/five/fre.php
lokibot	hxxp://life-is-beautiful.in/api/Panel/five/fre.php
proxyback	hxxp://cartrestfound.com/car.php
proxyback	hxxp://byperholl.com/ir.php
proxyback	hxxp://semidethk.com/io.php
proxyback	hxxp://indownfplex.com/vis.php
proxyback	hxxp://indownfplex.com/flex.php
proxyback	hxxp://semidethk.com/is.php
proxyback	hxxp://hundedindi.com/ms.php
proxyback	hxxp://cartrestfound.com/sh.php
proxyback	hxxp://hiros9guild.biz/des.php
proxyback	hxxp://hundedindi.com/sql.php
proxyback	hxxp://byperholl.com/te.php
proxyback	hxxp://hiros9guild.biz/ex.php
lokibot	hxxp://194.187.249.82/done/bowe/fre.php
lokibot	hxxp://muhtomas.co.id/SSL/Panel/five/fre.php
lokibot	hxxp://winnersguy.ml/chibyke/fre.php
unknown_mobile_botnet+ports:20000-20002	74.207.241.132
lokibot	hxxp://ebanbrown.dynamic-dns.net/mitch/fre.php
lokibot	hxxp://alfachemllc.com/js/file/parsatla_arsatla/fre.php
lokibot	hxxp://licenseha.ir/wp-admin/five/fre.php
smokeloader	hxxp://anam0rph.su/in.php
ponyloader	hxxp://gmgifts.co.uk/gate.php
nivdort	hxxp://collegebecame.net/index.php
quant	hxxp://proxy.cheesecakefactoryrestos5.com/proxy/index.php
treasurehunt	hxxp://bricks.builders.cp-in-14.webhostbox.net/ghost_panel/gate.php
madness	hxxp://itzjchan2.altervista.org/
bluebot	hxxp://volambachkim.com/panel/target
bluebot	hxxp://volambachkim.com/panel/proxy
bluebot	hxxp://volambachkim.com/panel/botlogger.php
ponyloader	hxxp://admin.mediachakra.com/gate.php
ramnit	45.55.36.236
kasidet	hxxp://82.196.12.69/y/tasks.php
lokibot	hxxp://longvedz.club/pode/gart/fre.php
lokibot	hxxp://46.21.153.87/logs/done/fre.php
lokibot	hxxp://omegasupplier.com/index/fre.php
smokeloader	hxxp://ygiudewsqhct.in/in.php
solar	hxxp://s.icab.pk/s/index.php
lokibot	hxxp://backagain.cf/mine/fre.php
ponyloader	hxxp://66bkuneu3hkgqpqf.onion.link/VXL1/gate.php
lokibot	hxxp://www.duogai.net/wp-content/languages/twitters/fre.php

In one case the scanning IP is also a botnet controller as seen below.

36.17.46/spicy/fre.php

Conclusion

With information shared between Wapack Labs, our clients and affiliates, analysts have better visibility into the nature of these exploit scans which are leveraging JexBoss. Wapack Labs will continue to monitor exploit scans targeting users to provide information and early warnings on the vulnerabilities sought after by attackers.

Appendix A:

This is a list of IP’s preforming the exploit scans described in this report identified by Wapack Labs, clients and affiliates.

111.230.225.187
90.173.99.208
117.102.115.45
118.25.225.80
123.207.68.247
134.175.99.69
111.230.52.108
118.24.124.84
114.116.81.23
117.102.115.45
148.70.106.105
103.112.210.179
132.232.224.155
175.176.192.178
140.143.165.103
148.70.106.1
1.214.219.196
10.10.139.191
103.56.115.211
105.96.22.84
114.118.85.164
115.159.57.129
116.193.154.142
116.196.86.183
117.50.69.76
118.24.124.84
118.24.82.40
119.75.41.70
121.163.187.55
121.46.30.201
13.79.159.31
132.232.140.136
132.232.16.249
134.175.132.89
134.175.134.150
134.175.88.133
148.70.101.35
154.85.97.2
154.85.99.103
181.49.5.35
188.131.138.195
190.129.74.151
192.186.23.25
193.112.12.35
193.112.40.110
193.112.43.204
193.112.86.81
193.112.89.197
193.227.20.55
198.74.81.142
198.74.81.52
198.74.81.71
198.74.89.31
203.153.214.171
212.129.136.186
49.4.22.15
58.87.115.217
88.76.35.98
93.50.79.38
94.191.15.217
94.191.17.242
132.232.1.169
123.254.110.243
156.234.127.58
106.12.99.111
60.29.14.197
58.215.76.25
94.191.10.62
120.31.136.230
139.199.107.130
139.199.67.82
154.223.153.166
103.104.106.136
154.8.150.119
103.255.179.146
118.45.237.229
119.1.160.85
122.114.72.114
114.115.129.191
118.24.48.113
45.40.254.224
90.173.99.208
134.175.12.253
103.75.47.74
134.175.12.86
118.24.22.186
103.100.60.15
185.227.154.112
122.142.75.55
118.98.121.66
72.32.209.144
222.76.204.106
104.233.232.49
111.230.152.57
118.24.93.16
47.244.123.236
119.29.41.87
203.195.147.129
41.223.49.173
132.232.187.53
134.175.99.69
134.175.58.153
43.229.38.171
123.63.224.20
211.65.63.192
103.210.239.136
111.230.134.96
106.12.129.117
132.232.159.51
212.64.42.143
42.51.16.108
119.29.85.92
114.115.131.50
106.12.205.249
43.240.28.46
119.29.94.69
114.116.36.222
188.131.169.237
167.179.72.22
140.143.165.103
27.118.28.230
106.12.148.83
14.18.141.201
139.199.166.203
118.32.127.213
132.232.71.54
118.89.34.18
132.232.16.62
200.98.200.147
189.17.105.183
139.199.104.191
80.211.55.37
103.254.111.230
150.109.54.38
219.144.130.208
61.83.40.74
94.191.35.39
160.19.49.6
96.95.223.81
160.19.51.165
132.232.37.105
111.230.229.231
182.61.13.50
132.232.224.155
45.40.252.56
39.109.3.236
118.25.218.68
114.116.81.23
110.77.211.212
104.233.73.17
114.236.138.234
202.146.219.156
193.112.222.52
103.210.237.24
188.131.157.195
120.92.10.237
210.21.52.38
103.100.211.250
154.8.183.74
138.68.246.41
103.86.67.250
193.112.220.187
117.50.55.23
45.42.86.154
132.232.183.81
140.143.153.197
121.169.127.8
140.143.59.13
139.199.28.123
103.200.117.41
103.14.38.14
200.155.5.244
193.112.160.70
103.98.112.210
139.199.175.155
134.175.44.221
60.250.120.84
111.230.197.230
118.24.122.13
118.24.38.122
132.232.135.73
45.249.95.183
74.221.202.35
54.36.95.20
118.24.26.150
122.114.214.180
154.8.139.66
118.24.50.99
45.42.85.138
132.232.86.142
134.175.91.239
123.207.115.16
43.240.248.82
50.254.129.69
118.24.94.89
132.232.212.247
193.112.96.25
187.152.96.223
45.125.35.173
140.143.19.50
116.89.241.220
114.115.250.189
119.29.54.156
154.95.188.193
114.116.15.48
211.149.130.28
123.207.68.247
156.236.72.200
118.24.239.135
45.192.88.194
140.143.3.146
111.230.180.103
119.28.85.203
180.249.130.147
212.129.144.156
111.231.233.85
119.197.20.155
123.207.242.179
69.165.73.82
119.29.245.219
156.236.64.177
118.25.71.229
103.229.183.178
132.232.154.147
202.53.138.101
47.244.115.39
134.175.116.51
111.230.52.108
132.232.193.63
1.34.192.112
221.239.27.252
132.232.82.43
185.242.161.86
103.64.12.125
61.75.35.114
103.194.170.110
119.29.209.151
103.56.55.64
61.186.172.178
103.40.21.58
45.40.245.150
122.114.251.251
193.112.19.214
106.12.97.114
150.109.62.4
172.120.80.66
203.195.150.228
121.127.227.55
119.1.96.157
118.25.54.65
103.254.111.139
182.61.43.58
211.149.235.17
208.255.143.21
103.238.225.76
194.36.173.46
40.80.152.70
193.124.64.119
193.112.191.53
132.232.184.225
119.28.71.130
86.202.58.230
37.238.128.77
148.70.5.182
23.224.2.138
92.154.58.146
150.107.0.102
144.48.8.80
111.230.11.212
45.40.246.72
203.195.171.15
106.12.201.74
114.116.67.224
211.149.180.56
103.87.8.166
1.214.64.11
182.61.165.82
132.232.12.125
103.92.24.240
54.36.29.225
43.251.104.135
140.143.46.180
150.129.40.247
118.25.75.27
132.232.3.176
140.143.182.64
154.48.225.29
154.223.150.115
103.233.249.122
134.175.146.205
212.64.0.114
172.245.158.116
106.12.198.175
125.227.89.41
134.175.143.238
137.59.18.146
192.200.215.90
103.75.13.125
91.98.31.132
223.27.217.199
103.217.227.113
112.91.215.218
119.29.175.32
222.105.146.27
45.41.89.178
103.91.207.195
220.133.202.244
122.114.69.155
222.223.239.200
103.92.26.169
119.15.87.107
85.152.53.130
156.236.102.169
103.115.41.239
94.178.97.126
52.28.149.54
103.89.85.14
103.41.212.190
132.232.41.115
103.55.24.136
90.187.114.229
200.116.123.78
139.199.87.17
134.73.188.2
156.236.64.57
123.207.74.20
103.48.168.87
66.212.59.146
211.149.224.192
211.159.147.46
49.4.89.86
173.82.147.106
122.114.158.135
202.181.24.225
94.191.21.15
154.91.201.90
61.172.174.186
94.191.6.83
154.66.198.77
148.70.107.233
42.51.34.160
117.123.84.14
112.29.236.135
132.232.210.219
43.255.118.112
129.204.0.8
136.243.231.57
151.237.40.5
103.208.35.244
39.109.116.240
211.149.222.124
118.25.236.78
39.109.122.171
103.89.85.13
140.115.126.235
128.14.133.50
142.252.20.34
203.99.187.41
189.90.7.244
69.46.82.178
94.191.39.125
103.35.151.62
103.214.140.144
117.2.102.29
219.234.4.91
80.211.246.77
211.149.174.105
193.187.118.58
103.72.166.142
106.12.42.213
58.64.173.214
103.104.105.63
111.231.93.135
45.61.252.194
118.131.117.124
103.100.158.132
86.124.151.17
139.199.95.23
119.148.160.21
192.144.175.67
114.116.76.241
122.114.98.130
115.126.36.126
90.71.64.102
195.9.141.100
193.112.64.59
211.149.179.152
120.132.13.56

TIR-18-346-001_Indicators.csv

[1] https://github.com/joaomatosf/jexboss

X-Industry

JexBoss Exploit Scans Target Home and Office

Comments