Baltimore’s Union Memorial Hospital is the epicenter of a malware attack upon its parent organization, MedStar. Data at Union Memorial and other MedStar hospitals in Maryland have been encrypted by ransomware spread across the network, and the operators of the malware are offering a bulk deal: 45 bitcoins (about $18,500) for the keys to unlock all the affected systems.
Reuters reports that the FBI issued a confidential urgent “Flash” message to the industry about the threat of Samsam on March 25, seeking assistance in fighting the ransomware and pleading, “We need your help!” The FBI’s cyber center also shared signature data for Samsam activity to help organizations screen for infections. But the number of potential targets remains vast, and the FBI was concerned that entire networks could fall victim to the ransomware.
New server-targeting malware hitting healthcare targets with unpatched websites.
According to sources who spoke to the Baltimore Sun, the malware involved in MedStar’s outages is Samsam, also known as Samas and MSIL. The subject of a recent confidential FBI cyber-alert, Samsam is form of malware that uses well-known exploits in the JBoss application server and other Java-based application platforms. As Ars reported on Monday, Samsam uses exploits published as part of JexBoss, an open-source security and penetration testing tool for checking JBoss servers for misconfiguration.
The exploited vulnerabilities are in the JBoss Management Console (JMX), the command-line interface used to control JBoss-based application servers. The default installation of JBoss leaves JMX unsecured from outside access. The attacker uses these exploits to get remote shell access to the server itself and install Samsam malware onto the targeted Web application server. From there, the server is used to spread the ransomware client to Windows machines. There’s no communication with a command and control network once the server is compromised.
According to Craig Williams of Cisco’s Talos Research, an Internet scan by Talos revealed approximately 2.1 million systems vulnerable to the JBoss exploit used in the attack. And other JMX-based exploits that have been known for more than a year are waiting in the wings to strike systems based on JBoss and related systems such as WebLogic, WebSphere, the open-source Jenkins automation server, and the OpenNMS network management platform.
Aside from JexBoss, there are several other proof-of-concept and even “weaponized” exploits of JBoss already publicly available. Some security researchers have speculated that these could be used as part of a self-spreading “worm” malware that scans for exploitable servers and then works its way into the networks attached to them.