FBI MSIL/Samas.A Ransomware Flash Alerts
Page Count: 6 pages
Date: March 25, 2016
Restriction: TLP: GREEN
Originating Organization: Federal Bureau of Investigation, Cyber Divison
File Type: zip
File Size: 775,199 bytes
File Hash (SHA-256): AFF6B13256C8E0FE9A67F2F2E80C5AB337AF95F018104BA5CBC15FD093A1D8A9
- FBI Flash Alert MC-000068-MW, February 18, 2016
- FBI Flash Alert MC-000070-MW, March 25, 2016
- Samas Indicators of Compromise
The FBI previously identified that the actor(s) exploit Java-based Web servers to gain persistent access to a victim network and infect Windows-based hosts. The FBI also indicated that several victims have reported the initial intrusion occurred via JBOSS applications. Further analysis of victim machines indicates that, in at least two cases, the attackers used a Python tool, known as JexBoss, to probe and exploit target systems. Analysis of the JexBoss Exploit Kit identified the specific JBoss services targeted and vulnerabilities exploited. The FBI is distributing these indicators to enable network defense activities and reduce the risk of similar attacks in the future.
FBI indicators based on an ongoing investigation:
The JexBoss tool, publicly available on GitHub.com, prompts attackers to input the target URL for JexBoss to check for any of three vulnerable JBoss services: web-console, jmx-console, and JMXInvokerServlet. Depending on which vulnerabilities are detected, the tool then prompts the user to initiate corresponding exploits. The tool’s exploits are collectively effective against JBoss versions 4, 5, and 6. The payload of each exploit is a Web application Archive (.war) file, “jbossass.war”. A successful exploit results in unpackaging the .war file and utilizing jbossass.jsp to deploy an HTTP shell for the attacker.
Following initial infection of the network with MSIL/Samas.A, the actor(s) connect via RDP sessions. An open source tool, known as reGeorg, is used to tunnel the RDP traffic over the established HTTP connection. The actors use the Microsoft tool csvde.exe to determine the hosts reporting to the active directory. A list of all hosts found in the directory is compiled into a .csv file or other similar file type. Finally, the actor(s) distribute the ransomware to each host in the network using a copy of Microsoft’s psexec.exe.
Defending Against Ransomware Generally
Precautionary measures to mitigate ransomware threats include:
• Ensure anti-virus software is up-to-date.
• Implement a data back-up and recovery plan to maintain copies of sensitive or proprietary data in a separate and secure location. Backup copies of sensitive data should not be readily accessible from local networks.
• Scrutinize links contained in e-mails, and do not open attachments included in unsolicited e-mails.
• Only download software – especially free software – from sites you know and trust.
• Enable automated patches for your operating system and Web browser.