The NCCIS on Thursday released a report on the use of exploitation tool JexBox by hackers to remotely access the systems of victims. Analysis Report (AR) AR18-312A: JexBoss – JBoss Verify and EXploitation Tool provides information on JexBoss’ capabilities, as well as suggestions for detection and mitigation.

JBoss Verify and EXploitation tool (JexBoss) is an open-source tool used by cybersecurity hunt teams, sometimes referred to as red teams, and auditors to conduct authorized security assessments. Threat actors use this tool maliciously to test and exploit vulnerabilities in JBoss Application Server (JBoss AS)—now WildFly—and a variety of Java applications and platforms.

JexBoss automates all the phases of a cyberattack, making it a powerful and easy-to-use weapon in a threat actor’s cyber arsenal.

In March 2016, the Cisco Talos Intelligence Group (Talos) investigated a widespread ransomware campaign known as SamSam, which was targeting the healthcare industry. Talos identified numerous instances where the attackers used JexBoss to gain initial access to the target network through vulnerable versions of JBoss AS.

The April 2017 Symantec Internet Security Threat Report documented an intrusion by the Iran-based Chafer espionage group against a target in Turkey. In that intrusion, Chafer used JexBoss to identify and exploit a vulnerable version of JBoss AS, then moved laterally into other computers on the victim’s network.

The report provides a detailed analysis of JexBoss’ functionality, along with detection, response, prevention, and mitigation recommendations. Get the full report here.