As many news outlets have reported, Atlanta is recovering from an attack on its city computers that occurred on the morning of March 22. Initial reports stated and later confirmed that SamSam ransomware, also known as Samas and SamSamCrypt, was at play. SamSam ransomware exploits older, unpatched JBoss system and Java deserialization vulnerabilities. It also looks for insecure RDP connections within the targeted environment.
SamSam ransomware was active in early 2016, and is now making a comeback. This ransomware has been identified in shutting down systems in February 2018 at the Colorado Department of Transportation. In January 2018, Hancock Heath, a regional hospital in Indiana was stricken by the malware. The fact that SamSam has been so successful in several instances in the recent past reiterates the need to reduce one's Cyber Exposure gap and time to remediate.
SamSam ransomware differs from other ransomware because the attackers don’t rely on user-based attack vectors, such as phishing campaigns. Instead, they utilize compromised hosts to gain a foothold, then move laterally through the network.
The vulnerabilities exploited by SamSam include those identified in the following CVE:
- CVE-2010-0738
- CVE-2012-0874
- CVE-2010-1428
Tenable detects these vulnerabilities via the following plugins:
How Tenable can help
Tenable developed Nessus® plugins to detect these vulnerabilities for Tenable.io Vulnerability Management, SecurityCenter and Nessus Pro. Specifically, these plugins identify vulnerabilities that would allow a remote attacker to utilize the JBoss flaw to gain access to sensitive information. In addition, Tenable.io Container Security has detection for the vulnerabilities in Docker container images.
To determine if you’re currently vulnerable to any of the exploits listed above, log into Tenable.io, click the Advanced link located on the top right area of the top navigation bar. Within the Advanced Search pop-up, select “CVE” from the pick list, using default “is equal to”, and enter the listed CVE IDs, separated by a comma. Then, click Apply, as shown in the image below.
Identified vulnerabilities will be displayed on the Vulnerability Workbench. See below.
At this point, you may select a specific vulnerability to retrieve details, such as the Description, Solution and References, which will assist in mitigating the vulnerability.
To view information about which specific assets are vulnerable, click the Assets tab on the Vulnerability Workbench. Selecting an asset will also present you with a vulnerability view, which when selected will also take you to the detailed view shown above.
Most ransomware exploits well-known vulnerabilities that already have patches available.
Next steps and additional resources
Implementing a proactive security program that includes regular patching and system updating is one of the best strategies you can use to prevent malware from infecting your systems.
Make patching and protecting assets a regular habit. The risk is higher if operating systems and/or applications are out-of-date and unsupported. Patching all your assets on a regular basis, and developing a regular backup schedule can help prevent ransomware.
We will continue to monitor the situation and update our detection, as required, to keep our customers secure.
For more information about how Tenable can help your organization reduce the risk of ransomware infections, review this brief on-demand webinar: Using Tenable.io to Reduce the Risk of Ransomware Infections
In the meantime, to scan internal hosts, download a Nessus scanner and link the scanner to your Tenable.io account. If you aren’t a Tenable.io customer, sign up for a free 60-day evaluation.
Many thanks to Rajiv Motwani, Steve Tilson, Anthony Bettini, Clint Merrill and the entire Tenable research team for their contributions.