Malicious threat actors commonly use legitimate IT network based tools against us – tools like Metasploit, PowerShell, PsExec, Nessus, and Shodan, that were originally developed to help defend and manage our networks. Following ongoing WaterISAC reporting, the NCCIC released an analysis report today illustrating the continued use of IT tactics, techniques, and procedures (TTPs) to gain footholds into our organizations. Analysis report AR18-312A highlights the open-source web application server vulnerability scanning tool JBoss Verify and EXploitation Tool (JexBoss).

JexBoss is an open-source tool used by cybersecurity defense teams to discover and assess vulnerabilities within the JBoss Application Server (JBoss AS), as well as other Java applications and platforms. JexBoss performs scans to determine vulnerability against several known exploits and produces a vulnerability report. JexBoss also has the ability be configured to exploit any exposed vulnerabilities automatically after scanning. AR18-312A highlights how to detect JexBoss’ behavior through passive network traffic monitoring, and covers reported uses of JexBoss in prior attacks, including the widespread SamSam ransomware campaign in 2016 against several healthcare organizations.

Defense-in-depth mitigations to protect against malicious exploitation of JexBoss include, system patching/updating, review and audit of server logs, secure access to administrator consoles, and the use of least privileged accounts to run servers. Additionally, organizations should consider using JexBoss and similar tools to find vulnerabilities in their environments before the bad guys do.