The city of Atlanta has become one of the latest victims of a ransomware attack. The attack is believed to be the result of the SamSam malware that has compromised various healthcare, government, and educational systems over the past several years.
This malware initially targeted a remote code execution vulnerability in JBoss web servers, but it has also been known to target exposed RDP and FTP services. If we continue with the assumption that the SamSam malware is responsible for locking down Atlanta’s IT systems, what could have been done to prevent such an attack, and what are some of the hurdles an organization may encounter?
If the ransomware attack originated from the original flavor of SamSam, which targets vulnerable JBoss servers, the first solution is to patch to a nonvulnerable version of JBoss. While this may sound easy in theory, it often becomes difficult in practice.
For many organizations with hundreds or thousands of systems spread across multiple business units, simply maintaining an accurate technology inventory is challenging. Additionally, JBoss is only one piece of the technology stack that must be inventoried and patched regularly—the operating system, as well as applications served by JBoss, must also be inventoried and patched accordingly.
Many organizations have critical applications that are not compatible with newer JBoss instances, preventing them from patching to a secure version. In these scenarios, the vulnerable JBoss components must be disabled manually, or compensating network-level controls must be implemented to block access to the vulnerable components.
Remember that vulnerable JBoss servers are only one entry point for this malware, as it may also be introduced over a compromised RDP or FTP service.
In most environments, there is no business justification for having these services externally exposed. Like patching, when an organization uses many systems spread across multiple business units, maintaining updated firewall rules and continually auditing system services can become a complex task.
While Atlanta’s ransomware attack may be the result of poor IT hygiene, hindsight is always 20/20, and relatively simple tasks that are easy in theory become complex when applied to the IT infrastructure of large organizations.
The Building Security In Maturity Model (BSIMM) framework from Synopsys helps clients across various industry verticals identify these types of deficiencies and improve their organizations’ security posture.