Cisco Talos researchers say that 3.2 million servers have a JBoss vulnerability that could potentially be exploited by SamSam ransomware. Even more worrying, the researchers found 2,100 backdoors across 1,600 servers that are "already compromised and potentially waiting for a ransomware payload," Cisco Talos wrote.
Attackers used a JBoss-specific exploit called JexBoss -- a Jboss verification and exploitation tool -- to compromise vulnerable servers, then install webshells and backdoors for remote access. Cisco Talos researchers found that compromised JBoss servers typically have more than one webshell installed, suggesting that the systems have been repeatedly compromised by different actors. The list of webshells include mela, shellinvoker, jbossinvoker, zecmd, cmd, genesis, sh3ll, and jbot.
"Given the severity of this problem, a compromised host should be taken down immediately as this host could be abused in a number of ways," Cisco Talos wrote in a bulletin. This would prevent attackers from accessing the server remotely.
Review the contents of a server's jobs status page for anything suspicious. If webshells are found, the first step is to remove external access to the server, Cisco Talos said. While the ideal scenario would be to re-image the system and install the latest versions of all the software, some organizations will be unable to rebuild from the ground up.
"The next best option would be to restore from a backup prior to the compromise and then upgrade the server to a non-vulnerable version before returning it to production," Cisco Talos said.
Red Hat's middleware software lets enterprises automate business processes as well as create and integrate applications, data, and devices. The vulnerability is more than six years old and Red Hat patched the flaw back in 2010. Red Hat renamed the JBoss Application Server as WildFly back in 2014. Unfortunately, quite a number of organizations still use older versions of JBoss, 4.x and 5.x, and they haven't applied the original patch -- which made it possible for attackers to compromise so many of these servers in the first place.
K-12 affected
Many of the infected systems were running Follett's Destiny library-management software, commonly used by schools and other educational institutions. Follett warned customers that a number of servers have been infected with backdoors, although it did not reveal how the software had been exploited. Follett's patch addresses the problem for systems running Destiny versions 9.0 to 13.5.
"Based on our internal systems security monitoring and protocol, Follett identified the issue and immediately took actions to address and close the vulnerability on behalf of our customers," Follett said in a statement.
Follett's technical support team has been contacting customers who have been infected to urge them to update. Government and aviation companies are among those affected by this vulnerability, Cisco said.
Ransomware attacks are evolving
Ransomware attackers are no longer limited to drive-by downloads, users inadvertently clicking on the wrong link, or people tricked into opening a file booby-trapped with macros. SamSam ransomware was recently updated to get a foothold in the organization by exploiting known server vulnerabilities.
The fact that SamSam targets servers makes it easier for the ransomware to cripple an organization, as the data on the servers are mission-critical. This isn't merely targeting a user or data files stored on a fileshare. If the server is locked by ransomware, chances are mission-critical applications are affected.
Newer methods are evolving. A few weeks ago, a ransomware variant called Surprise appeared to be targeting machines with TeamViewer remote control software installed. The Surprise attackers used stolen credentials to open TeamViewer connections to the target machine. Once connected, the attackers uploaded and executed the ransomware. The attackers likely obtained the account credentials from a password leak or dump, and they tried to see if any had been reused with the remote control software, TeamViewer said in a statement. Once logged in with the victim's credentials, the attackers can access all assigned devices in order to install malware or ransomware.
"As TeamViewer is a widely spread software, many online criminals attempt to log on with the data of compromised accounts in order to find out whether there is a corresponding TeamViewer account with the same credentials," the company said.
While SamSam ransomware is the most immediate threat targeting JBoss servers, it isn't the only attack to worry about. Nothing is preventing attackers from using a compromised server to launch distributed denial-of-service attacks or consume resources to mine bitcoins, for example.
The consistent message is the importance of patching software regularly and on time. Patching is critical but frequently neglected -- both by organizations and by software vendors. Ransomware and other attacks are showing that not patching can have a devastating impact on an organization.
"Once the actor controls the server, they can do anything they want, including loading more tools," Cisco Talos wrote. "A compromised Web server could be used to pivot and move laterally within an internal network."