Millions of unpatched JBoss servers open to abuse

The firm's Talos security team has investigated SamSam infections among clients and now estimates that 3.2 million servers running JBoss are at risk of infection by the ransomware due to poor patching practices.

Cisco Systems' Talos security unit reckons that this could cause of a lot of people a lot of trouble. "This led us to approximately 3.2 million at-risk machines".

The research found 2,100 backdoors installed across almost 1,600 IP addresses; backdoors that can allow the introduction of malware code.

From the brief look at the compromised servers, Cisco says that they belong to schools, governments, aviation companies, and more. Some third-party apps require older JBoss builds, and one such piece of software - Follett Learning's Destiny library management software used in U.S. schools - is getting hit.

Cisco Talos notified Follett, which explained a patching system that patches systems from version 9.0-13.25 and captures any non-Destiny files on the system to assist in removing backdoors on the system. Its technical support staff will reach out to customers found to have suspicious files on their systems.

Cisco Talos and Follett will continue working together to analyze webshells discovered on compromised servers and will ensure that customers are aware of how to best protect their networks. Among the backdoors identified during the sweep were "mela", "shellinvoker", "jbossinvoker", "zecmd", "cmd", "genesis", "sh3ll" and possibly "Inovkermngrt" and "jbot".

Malicious actors are using out-of-date versions of Red Hat's JBoss enterprise server, a middleware software that integrates devices, data, and users across different platforms, as the initial point of compromise.

Web shells are scripts that indicate an attacker has already compromised a server and can remotely control it. The list of those associated with this exploit are listed in Talos's blog post.

A compromised host should be immediately taken down since it can be abused in various ways.

Talos added: "Our first recommendation, if at all possible, is to remove external access to the server". While the ideal scenario would be to re-image the system and install the latest versions of all the software, some organizations will be unable to rebuild from the ground up. If rebuilding from scratch isn't feasible, the next best option is to restore the system from a backup made before it was compromised and install all available updates before returning the server to production. "As always, running a reputable anti-virus software is recommended". It is neglected by both users and makers of the software far too often. Any failures along the chain will result in the success of an attack.

US-CERT has published an advisory concerning webshells.


Source → Millions of unpatched JBoss servers open to abuse

Comments

Post a Comment

Popular Posts

Unwanted Windows 10 upgrade costs Microsoft $10,000 through lawsuit

Image
Unwanted Windows 10 upgrade costs Microsoft $10,000 through lawsuit . Microsoft has been forced to compensate a user for the automatic and unwanted installation of Windows 10 on their computer. Teri Goldstein, the operator of a Californian travel agency, was awarded $10,000 through a lawsuit that alleged the forced installation caused her PC to become slow and unusable. Goldstein was seeking damages for lost wages and the cost of a new PC after Microsoft support failed to adequately resolve the issue. Microsoft initially appealed the judgment, but withdrew the appeal last month to "avoid the expense of further litigation". While Windows 10 has been positively received since its launch last year, many users have been complaining about Microsoft's aggressive update methods on previous operating systems, particularly Windows 7. Microsoft has been sending a never ending wave of update nags to Windows 7 users, and in some cases Windows 10 has been installed automatically....
Read more