The National Cybersecurity and Communications Integration Center (NCCIC), part of the Department of Homeland Security (DHS), has issued a US-CERT alert for the JBoss Verify and EXploitation (JexBoss) tool, an open-source tool often used by red teams.
According to the alert, malicious actors are using JexBoss to test and exploit vulnerabilities not only in the JBoss Application Server (JBoss AS) but also in a variety of Java applications and platforms.
Written in the Python programming language, the JexBoss tool used in threat hunting automates all the phases of a cyber-attack, making it a powerful tool when used by threat actors. Attackers have reportedly used JexBoss in the SamSam ransomware campaign that targeted the healthcare industry.
Able to run from most standard operating systems, JexBoss allows an attacker to execute arbitrary OS commands on the target host, the CERT said. Through either installing a webshell, blindly injecting commands, or establishing a reverse shell, the attacker is able to submit OS commands.
In an exploit attempt, researchers were successful in the delivery, exploitation, installation, command-and-control and action on objectives phases, and NCCIC determined that JexBoss operates at all seven phases of the Cyber Kill Chain framework.
“It is very concerning to see that an open source tool created to detect vulnerabilities is now being used to test and exploit vulnerabilities in JBoss AS,” said Justin Jett, director of audit and compliance for Plixer.
“It is critical that IT professionals monitor the traffic on their servers where JBoss is installed. Specifically, they should be sure to take advantage of network traffic analytics to determine when non-authorized users or IPs are connecting to these devices directly and to ensure that firewall rules are being properly enforced. Should malicious actors gain access to the server, they can easily determine which vulnerabilities are available to exploit, and more importantly they may be able to change the behavior of the application. This could cause irreparable damage if the application is customer facing or contains sensitive information.”
Best practices for mitigation include ensuring that servers are not vulnerable to the exploits JexBoss uses. The NCCIC also recommends that users and administrators review AR18-312A for more information.