In recent weeks there have been multiple reports regarding a ransomware campaign, known as SamSam, targeting vulnerable JBoss (now known as WildFly) application servers. An official report released by Cisco Talos states that there have been approximately 3.2 million machines hosting the vulnerable versions of JBoss.

Further investigation found that a large number of K-12 schools (approximately 2100 servers) have already been exploited by the vulnerability allowing the hackers to deploy backdoor webshells on any of the compromised servers—indicating that the attackers have gained remote control over the server.

What is SamSam and how does it work?

SamSam falls under a family of ransomware that differs from traditional attack vectors that primarily focus on user interaction, such as phishing emails or malicious toolkits.

Instead, SamSam works by distributing itself through compromised servers, and uses those servers to pivot its way around the internal network and hooking itself to additional machines.

The hooked machines will have various files encrypted with the AES block cipher, which is then also encrypted using RSA-2048 bit encryption—effectively holding that specific machine along with the other machines on the network, for ransom.

Why older versions of JBoss?

The SamSam ransomware traditionally found itself focused and dominant in the healthcare industry, however newer iterations took a heavy turn towards vulnerable JBoss application servers, and as a result heavily targeted the education industry. K-12 schools are particularly affected, due to their use of a Library Management System called ‘Destiny’, which runs on JBoss in many educational institutions worldwide.

This seems to be happening because attackers are leveraging an open-source testing and exploitation tool known as JexBoss to exploit remote code execution vulnerabilities in JBoss servers. SamSam is then used to rapidly encrypt volumes on vulnerable systems and even move laterally to expand its reach to other resources on the network.

Detecting older versions of JBoss with Acunetix

Acunetix Vulnerability Scanner is able to detect web applications that are running vulnerable versions of JBoss. Scheduled, recurring automated scans allows you to detect high-severity issues affecting your web application or web service as soon as such vulnerabilities are disclosed.



The easiest way to remediate against this vulnerability is to install patches for these vulnerabilities and update your JBoss servers.

Other security best practices to avoid being exploited similar vulnerabilities in the future would be to construct a comprehensive recovery strategy based on your business needs – this involves a tried and tested backup strategy with offsite/cloud copies of backups to avoid ransomware encrypting backups.

Additionally, defending against such threats effectively requires a defence in depth strategy. Defense in depth is a principle of adding security in layers in order to increase the security posture of a system as a whole. In other words, if an attack causes one security mechanism to fail, the other measures in place take arms to further deter and even prevent an attack.

Juxhin Dyrmishi Brigjaj

Acunetix developers and tech agents regularly contribute to the blog. All the Acunetix developers come with years of experience in the web security sphere.