Outdated Apps Put 3.2M Servers at Risk for Ransomware

Besides the files specific to previous SamSam ransomware infections, researchers say they've also found the presence of other well-known backdoors, such as "mela", "shellinvoker", "jbossinvoker", "zecmd", "cmd", "genesis", "sh3ll" and possibly "Inovkermngrt" and "jbot". The Cisco team thereby suggests that a compromised host should be taken down immediately as this host could be abused.

Cisco Talos has realized there is more than one webshell on compromised JBoss servers and that it is critical to review the jobs status page contents. "We found just over 2,100 backdoors installed across almost 1600 IP addresses". "Ideally, you would also re-image the system and install updated versions of the software". Red Hat renamed the JBoss Application Server as WildFly back in 2014. Admins who discover webshells on their servers should first remove external access to the servers to prevent hackers from accessing the compromised machines remotely. Specifically, a number of these systems had Follett Corp.'s Destiny library management system for tracking school library assets. Follett warned customers that a number of servers have been infected with backdoors, although it did not reveal how the software had been exploited. The company is urging customers to patch their Destiny systems.

"Follett identified the issue and immediately took actions to address and close the vulnerability", the company told Cisco.

Follett will contact customers that have suspicious files. Most ransomware relies on tricking a user into running a program that infects the victim's system.

Following their initial investigation, Cisco has conducted a thorough research on the prevalence of this JBoss vulnerability, a de-facto backdoor into any server running the JBoss platform.

Schools are a logical target for attack by online extortionists. Once connected, the attackers uploaded and executed the ransomware.

Hackers targeting servers is a relatively new kind of attack for ransomware actors, given that a network's most sensitive data rests on the server rather than individual computers. This is the best way to ensure that the adversaries won't be able to access the server.

The consistent message is the importance of patching software regularly and on time.

Patching is a key aspect of software maintenance that is often neglected by both software makers and users. Ransomware and other attacks are showing that not patching can have a devastating impact on an organization.

"Once the actor controls the server, they can do anything they want, including loading more tools", Cisco Talos wrote. Once attackers upload malicious webshells to a vulnerable server, they can begin to laterally move through the network, further infiltrating it.

Federal Bureau of Investigation withdraws from NY iPhone unlocking case
This time around, the Justice Department had been looking for help accessing an iPhone at the center of a drugs case in NY . Justice Department said it has the passcode to unlock a drug dealer's iPhone .

Source → Outdated Apps Put 3.2M Servers at Risk for Ransomware