April 19, 2016 By Larry Loeb 2 min read

Samsam ransomware gathered headlines in March of this year. It differentiated itself from other similar attacks by its method of propagation: Rather than load itself via a poisoned macro attached to an email, Samsam spread through infected servers.

Experts even believe that Samsam was behind the ransomware attacks on a Baltimore hospital in March. But there’s more to this threat than meets the eye.

A Look at the Ransomware Attacks

Talos noticed that this malware had certain characteristics. Samsam first breaks into one server and is sophisticated enough to proliferate across the network by finding targets that run Windows. It sneaks into that first foothold without the need for an individual to click anything.

JBoss is one application server that Samsam likes to exploit. Although it was originally developed by the open source community, it is now available in a commercial flavor, as well. JBoss is written in Java and can host business components developed in Java.

JexBoss, an open-source verification tool for finding JBoss vulnerabilities, is a great aid in allowing SamSam ransomware attacks to infect JBoss. JexBoss can drill into the JBoss server for the malware.

Talos found another tool, a component of REGeorg called tunnel.jsp, to be an infection vector for Samsam. REGeorg is an open-source framework used to create socks proxies for communication.

Digging Deeper

A Talos scan discovered roughly 3.2 million machines were at risk by running unpatched versions of JBoss. The company also looked for already-compromised machines on which ransomware could be deployed.

It found more than 2,100 backdoors across 1,600 IP addresses associated with governments, schools, aviation companies and other types of organizations. Some of these may have been victims of other malware campaigns.

Talos’s conclusion about the findings bears repeating. “With around 2,100 servers affected, there are a lot of stories about how this happened,” the blog stated. “But a consistent thread in them all is the need to patch. Patching is a key component to software maintenance. It is neglected by both users and makers of the software far too often. Failures anywhere along the chain will ensure that this type of attack remains successful.”

While Talos recommended that external access to all servers that show signs of compromise be immediately removed until restoration can be performed, that’s only a stopgap measure. Mediation of the problem will be an ongoing process, ensuring that all systems are checked regularly and all patches applied to stop the ransomware’s spread.

More from

SoaPy: Stealthy enumeration of Active Directory environments through ADWS

10 min read - Introduction Over time, both targeted and large-scale enumeration of Active Directory (AD) environments have become increasingly detected due to modern defensive solutions. During our internship at X-Force Red this past summer, we noticed FalconForce’s SOAPHound was becoming popular for enumerating Active Directory environments. This tool brought a new perspective to Active Directory enumeration by performing collection via Active Directory Web Services (ADWS) instead of directly through Lightweight Directory Access Protocol (LDAP) as other AD enumeration tools had in the past.…

Smoltalk: RCE in open source agents

26 min read - Big shoutout to Hugging Face and the smolagents team for their cooperation and quick turnaround for a fix! Introduction Recently, I have been working on a side project to automate some pentest reconnaissance with AI agents. Just after I started this project, Hugging Face announced the release of smolagents, a lightweight framework for building AI agents that implements the methodology described in the ReAct paper, emphasizing reasoning through iterative decision-making. Interestingly, smolagents enables agents to reason and act by generating…

4 ways to bring cybersecurity into your community

4 min read - It’s easy to focus on technology when talking about cybersecurity. However, the best prevention measures rely on the education of those who use technology. Organizations training their employees is the first step. But the industry needs to expand the concept of a culture of cybersecurity and take it from where it currently stands as an organizational responsibility to a global perspective.When every person who uses technology — for work, personal use and school — views cybersecurity as their responsibility, it…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today