(Originally Authored March 31st, 2016)
Greeting internet! I’m here to tell you the story of hospital ransomware, Samsam.exe, and the latest vulnerability which should have everyone running to patch their enterprise systems.
Tl;dr – Jboss is vulnerable and is being actively exploited. Patch it or get infected with ransomware. After you fix that, search for everything that uses the commons-collection Java object and make sure it isn’t vulnerable to the same crap. Many products use commons-collection, and while they may not be being targeted now, they will be!
We were warned. We didn’t listen.
On January 28th, 2015, AppSecCali presenters Gabriel Lawrence (@gebl) and Chris Frohoff (@frohoff) presented a talk titled “Marshalling Pickles” which details “how deserializing objects can ruin your day.” Deserialization (or Unserialization) is a vulnerability class which takes advantage of how object serialization works in a programming language. Serialization is the process of converting complex data structures into another format (usually binary) for transfer over a network.
Vulnerabilities exist when developers accept serialized data and attempt to deserialize it inside a program. The AppSecCali team demonstrated proofs of concept and released the ysoserial.jar.
On November 10th, 2015, Oracle released CVE-2015-4852. Their alert page shows that the vulnerability allows remote code execution without authentication on Oracle WebLogic Servers. While that’s bad enough to warrant serious research, it got worse. On November 6, 2015, Foxglove Security published a blog titled “What Do WebLogic, WebSphere, JBoss, Jenkins, OpenNMS, and Your Application Have in Common? This Vulnerability”. As it turns out, the vulnerability wasn’t just in WebLogic, but could be exploited in a large number of enterprise systems. The vulnerability is in the commons-collection Java library. This prompted a slew of organizations to issue alerts, with CVEs continuing to be pushed out regularly.
While the ysoserial.jar file was successful in proving the exploit, it was still technically difficult to use. A user with sufficient knowledge in payload generation, Burp Suite, and coding could pull it off, but it remained out of the hands of skiddies. Or it did, until on November 18t, 2015, Trust Foundry researcher Nick Fox released the Java Deserialization Exploit. With this tool and very little knowledge, attacking vulnerable JBoss servers was as easy as LOIC.
With JBossExploit.jar and Shodan in hand, exploiting JBoss instances became trivially easy to pull off. While Trust Foundry demonstrated the attack with a reverse tcp shell, other hackers had bigger dreams.
On December 20th, 2015, Peter Kline informed the world that he was working he had a client with a new virus, samsam.exe. The virus had spread through the whole network, encrypting files as it went using the Windows Cryptography API. The earliest non-public instance this researcher has dates back to December 04, 2015, and we were off to the races. Researchers began seeing an attack pattern take shape. As emails and incident response reports were being passed around the community, the story finally broke. On February 12, 2016, NBC Los Angeles reported that the Hollywood Presbyterian Hospital had been hit with ransomware. With media pressure now on, teams moved quickly to respond. On February 18, 2015 the FBI issued a TLP:Green FLASH document identifying samsam as MSIL/Samas.A (AKA Gen.Variant.Kazy or RDN/Ransom).
“After an initial compromise, attackers map, connect to, and infect hosts on the network using several uploaded files. […] The actor(s) then distribute the malware to each host in the network using a copy of Microsoft’s psexec.exe.”
On March 24th, the MS-ISAC alerted the public that Jboss/Wildfly was linked to ransomware infections.
Here are the takeaways:
- Lazy Incident Response is Lazy! – 99% of the media stories you have read regarding the hospital ransomware attacks have been wrong. The attacks, largely, are not coming in through phishing or drive-by attacks as you’ve been led to believe. They are coming in through this jboss vulnerability.
- We Aren’t Done Here – Now that the story is finally public enough for system administrators to realize the Jboss vulnerability, there are still thousands of programs out there using the underlying vulnerable commons-collection objects. Jboss may be getting patched, but if we’re only patching Jboss, then we’re not seeing the forest for the trees!
- Hospitals Aren’t The Only Problem – While hospital attacks have been making the news, they are a symptom, not the problem. Focusing only on the hospitals is causing the industry to lose focus on the larger issue! Many enterprise systems use Jboss. All of them are vulnerable to the Jboss / Ransomware double header. While you are reading about hospitals in the news, the actual target list has includes schools, governments, mass transit systems, and any number of other systems we simply haven’t identified yet.
- NDAs Suck – In this incident, the pieces were there to put together from the minute the attacks started. NDAs and the lack of communication between groups attempting to solve this problem have allowed the problem to grow, have stifled progress in mitigating the issue, and have resulted in multiple media outlets misreporting the attacks. Poor users are being forced to attend spear-phishing classes while 3rd party vendors continue to deploy vulnerable jboss instances inside some of our most trusted networks. If we want to get a handle on this, we need to work together. For every incident being reported on publicly, there are many organizations which are hiding the fact that they were attacked from the public. The issue is larger than you’ve been led to believe, it affects more than you were told it did, and it had nothing to do with phishing. The sooner we collectively attack this thing, the sooner we can go back to sipping beers at DEFCON.
There are brilliant technical write-ups being done on this issue, and replicating the hashes and malware analysis already out there isn’t what we’re aiming to do here. For technical details, including snort rules and other things an incident response or IT manager may need, please review the FBI Flash MC-000068-MW at https://otx.alienvault.com/pulse/56f946d44637f207cbcce65e/. The Talos team has also pushed a write-up chalk full of technical details, here: http://blog.talosintel.com/2016/03/samsam-ransomware.html.