3.2m servers are possible targets for a ransomware campaign

A new strain of ransomware targets servers which is, mildly put, a troubling development.

3.2 million servers fall victim to an old and now heavily exploited vulnerability. Cisco released a formidable heads-up earlier this month, stating that over 3 million servers are vulnerable to the JBoss flaw, with many already backdoored.

JBoss (currently WildFly) is middleware produced by Red Hat that includes enterprise-class software used to create and integrate applications, data and devices, and automate business processes. The vulnerability in question is five years old (i.e. really old), and the patch has been available since 2010. Red Hat has even renamed JBoss since then.

Still, as an example of “IT renewal reluctance“, a malady very characteristic for larger businesses, the old and vulnerable versions of JBoss are still around because of the custom applications based on those versions.

This old flaw has been used by the actors behind the massive ransomware campaign codenamed SamSam. Unlike many others, SamSam is targeting servers specifically. As of the end of March, hospitals were the primary victims of the attacks, however later it was discovered that hackers have used the very same vulnerability to backdoor a large number of schools (primarily in the U.S.).

According to Threatpost, the hardest hit have been K-12 schools running library management software called Destiny by Follett.

Attackers are using a JBoss-specific exploit tool called Jexboss to compromise servers. According to Cisco Talos researchers, the JBoss vulnerability has been used to drop a number of webshells and backdoors, including “mela”, “shellinvoker”, “jbossinvoker” and “jbot,” among others, meaning the machines have likely been compromised over and over.

Server-side ransomware is, mildly put, a troubling development. Unlike the more common type where the endpoints are hit, a ransomware attack requires at least some cooperation from a gullible user. Server-side ransomware does not require it: attackers have many chances to go in undetected, while the damage inflicted to the internal infrastructure of the affected company may be much more extensive than with “common” ransomware.

SamSam actors successfully identified the key data systems for them to encrypt, to have more chances for successful extortion.

Hospitals were targeted because of a popular perception they have substandard cybersecurity and often rely on obsolete technology (Securelist recently published a great piece on hospital security – things aren’t encouraging there).

However, medical facilities – and schools – aren’t the only possible targets for attacks like these, and we’ll definitely hear more about it. 3.2 million vulnerable servers is a formidable figure on its own.

JBoss vulnerability in question is described at this link, along with the appropriate patch. Follett company also released its own advisory on a problem with Destiny, which offers the following recommendations.

  • Check out, whether a webshell (possibly more) have been installed on the suspicious server.
  • If there are any, the external access to the server must be cut off as soon as possible.
  • Follett recommends to re-image the system and install updated versions of software, if at all possible.
  • If not, the best option is to restore from a backup prior to the compromise, and then upgrade the server to a non-vulnerable version before returning it to production.
  • Destiny users receive updates automatically; a correct patch installation removes all backdoor shells.

Follett also recommends using a reputable security software. Kaspersky Lab has appropriate products for both small to medium businesses and enterprises.