A Lesson on Patching: The Rise of SAMSAM Crypto-Ransomware

The critical role of patch management comes into play when vulnerabilities are used by attackers as entry points to infiltrate their target systems and networks or when security flaws are abused to spread any threats.  The case of the infamous SAMSAM crypto-ransomware supports this. The said threat deviated from other crypto-ransomware families. Instead of arriving via malicious URLs or spam emails, it leverages security flaws in unpatched servers.  Last March 2016, SAMSAM hit the Kentucky hospital by encrypting all its files, including those found in the network.  From the healthcare industry, SAMSAM moves to target the education sector. In a  recent attack,  a significant number of servers and systems were exposed to SAMSAM and other malware via JBoss server vulnerabilities. JBoss is an open source application server that runs on Java. Systems or servers with ‘Destiny’ software were also affected. According to a report by CISCO, this software is typically used by K-12 schools worldwide. Follett has already released a patch to protect users of Destiny software.

Based on reports, the JexBoss exploit tool is used to install webshells, a script for system remote administration. Once compromised, these servers became infected with backdoors, webshells, and SAMSAM. The said crypto-ransomware family propagates via unpatched servers and changes the encrypted files to add the .encryptedRSA file extension.

Challenges in patching

Although SAMSAM is not the first threat to exploit vulnerabilities to penetrate a network, its emergence introduces another layer of risks to enterprises and large organizations.  Crown jewels or confidential data could be encrypted and lost, forcing enterprises to pay large sum of ransom in exchange for their crucial information. However, it is highly advisable not to pay attackers, as this doesn’t guarantee that organizations can retrieve their files.

Despite the threat’s sophistication in terms of infection vector and network mapping capability, applying patches as well as keeping systems and servers up-to-date could break the attack cycle.  However, IT administrators face various challenges like the need to support daily operations and maintain uptime of critical services, while securing the network perimeter.  It’s a critical balance act of protecting the enterprise environment while maintaining business operations. When a software vendor releases security fixes to address either zero-day exploits or vulnerabilities, IT administrators will have to do research and test first the updates before deploying these in their environment. They are forced to put patching in the backburner as this requires restart of mission-critical systems and servers, which could possibly impact overall productivity and cause business interruptions.

Based on a study, the average period of researching-testing-deploying of patches is 30 days, thus providing windows of exposure to enterprises.  Any attack or threat using these vulnerabilities that may surface during this period could endanger the security and data of enterprises.

Why virtual patching is necessary

Enterprises can opt for virtual patching to address the challenges or issues of patch management illustrated above. This solution technology permits IT administrators to protect vulnerable servers and endpoints without downtime and additional operational costs. In the absence of a vendor patch, virtual patching can shield vulnerabilities from exploits until a fix becomes available. It also allows IT admins to efficiently manage or schedule emergency patches that may arise from zero-day vulnerabilities or attacks in the wild exploiting these security gaps. In addition, legacy systems or applications are also protected from the risks that exploits may pose.

Organizations’ crucial data are also secure against threats that capitalize on vulnerabilities like in the case of SAMSAM.  Even if enterprises don’t immediately apply the related patches, their vulnerable servers are protected against this crypto-ransomware.  Currently, crypto-ransomware is one of the notorious threats that continue to evolve to widen its reach.

Trend Micro Deep Security has virtual patching feature with intrusion detection and prevention technologies. It’s a comprehensive solution that can protect organizations and enterprises from exploits and other related malware payload. Since threats and attacks using vulnerabilities are prevalent in today’s computing landscape, virtual patching is as necessary as base solutions like anti-malware and firewall.

Trend Micro Deep Security and Vulnerability Protection protect user systems from any threats that may leverage these JBoss vulnerability/ies via the following DPI rule:

  • 1007532-JBoss Application Server Unauthenticated Remote Command Execution Vulnerability
  • 1004189 – RedHat JBoss Enterprise Application Platform JMX Console Authentication Bypass

On the other hand, Trend Micro endpoint solutions such as Trend Micro™ Security Trend Micro Smart Protection Suites, and  Trend Micro Worry-Free™ Business Security can protect users systems from SAMSAM crypto-ransomware by detecting the malicious files. Systems with Trend Micro™ Smart Protection Suites are also protected from this threat via Trend Micro Endpoint Application Control.

TippingPoint also mitigates this threat by making the following filters available to its customers:

MainlineDV

  • 9825: HTTP: JBoss jmx-console Authentication Bypass
  • 10502: HTTP: JBoss jmx-console Deployer Command Execution
  • 11822: HTTP: JBoss jmx-console Deployer Remote Code Execution Vulnerability
  • 13438: HTTP: HP Application Lifecycle Management JBoss Invoker Servlets Marshalled Object (ZDI-13-229)
  • 13515: HTTP: Attempt to invoke JMXInvokerServlet or EJBInvokerServlet (ZDI-13-229)

ThreatDV

  • 23872: HTTP: Ransom:MSIL/Samas.A Download Attempt
  • 23873: SMB: Ransom:MSIL/Samas.A File Transfer Attempt
  • 24140: TCP: Ransom:MSIL/Samas.B Download Attempt

We advise enterprises to upgrade their JBoss servers to the latest version. Some of the vulnerabilities used are old bugs (for example: CVE-2010-0738 and CVE-2007-1036) already patched before. We also recommend IT admins to limit access to their internal servers via firewall.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

A Lesson on Patching: The Rise of SAMSAM Crypto-Ransomware

Read more: A Lesson on Patching: The Rise of SAMSAM Crypto-Ransomware

Story added 22. April 2016, content source with full text you can find at link above.