JBoss Servers Exploited by Ransomware
Cisco Talos security group warned of a series of targeted attacks that aim to exploit JBoss application servers as part of a campaign to spread the SamSam ransomware. Among those affected are educational institutions, government and aviation firms, and other organizations, Cisco Talos added.
Researchers reviewed Internet-connected systems and have found up to 2,100 exploited JBoss servers – the open-source application server program and related services maintained by Red Hat – and about 3.2 million at-risk endpoints. All these are at risk of being infected by the self-propagating ransomware SamSam – also known as Samas, MSIL, and Kazy – though it is not yet known how many have been affected.
Like all types of ransomware, SamSam directs its victims to pay a ransom of bitcoins to receive a decryption key to gain access back to their locked down networks, servers, or systems. Cisco Talos, however, discovered the flaws in JBoss after coming across a SamSam campaign that was targeted at entire enterprises and not just individuals – allowing hackers to demand a much larger ransom payment for the decryption keys.
Cisco Talos warned of ransomware attacks targeting schools, government and aviation groups, and similar institutions.
Cisco Talos also said that all of the infected servers were exploited with JexBoss – the JBoss verify and exploitation tool – targeted at unpatched deployments of JBoss. It was not specified which exact JBoss flaws were exploited. The JexBoss tool is free to download from GitHub, a well-known code-sharing site. After downloading Jexboss, hackers installed a web shell – a script that runs on a server to enable remote administration of a system and allows attackers to spread malware through a network.
Cisco Talos also learned that there is normally more than one web shell on compromised JBoss servers. This “implies that many of these systems have been compromised several times by different actors” since a group only needs one web shell to control a system. Cisco started alerting organisations April 11th; and publicly released details of the flaw and indicators of the compromise April 15th.
Several of the affected JBoss servers ran the school library management software Destiny – developed by software vendor Follett – according to Cisco Talos. Their website does have a patch to get rid of existing exploits and block new ones for their customer base of 60,000 K-12 schools.
Follet released a statement that said, “Based on our internal systems security monitoring and protocol, Follett identified the issue and immediately took actions and close the vulnerability on behalf of our customers. Follett takes data security very seriously and as a result, we are continuously monitoring our systems and software for threats, and enhancing our technology environment with the goal of minimizing risks for the institutions we serve.”
Destiny users were immediately urged to install the patch by Cisco; while they also lauded Follett’s rapid response to the hacking. It also helped that the patch updates were pushed to all users of Destiny, from version 9.0 to 13.5. The update “also captured any non-Destiny files that were present on the system to help remove any existing backdoors on the system.” Follett’s technical support team had also contacted customers whose systems appear to have been affected, also urging them to update their programs.
Cisco Talos also noted that all affected JBoss servers may be identified through the presence of unauthorised web shells which can theoretically give hackers remote access to the server and every system it is connected to.
Cisco recommended that any organisation that finds unauthorised web shells on their JBoss servers should immediately disable external access to the server. This should prevent the cybercriminals from accessing the servers from a remote location; and ideally re-imaging the system and installing updated versions of the software should help. Cisco added that restoring a pre-exploit backup and upgrading the server to a non-vulnerable version before returning it to production is recommended.
Cybercriminals are using web shells as part of their hacking more often. In late 2015, the US Department of Homeland Security’s computer emergency response team issued an alert that warned about a wave of attacks that involved web shells that included China Chopper, WSO, C99, and B374K; they also offered a number of related detection and mitigation recommendations.
According to the US-CERT alert – which was made in coordination with teams from Australia, Canada, New Zealand, and the UK – consistent use of web shells by advanced persistent threat (APT) and criminal groups has led to significant cyber incidents. They added, “Using network reconnaissance tools, an adversary can identify vulnerabilities that can be exploited and result in the installation of a web shell. Once successfully uploaded, an adversary can use the web shell to leverage other exploitation techniques to escalate privileges and to issue commands remotely.”
The alert warned that this kind of access can allow attackers to gain access to other network systems and use the network to steal data, and install malware and ransomware.
According to reports by the FBI and US-CERT, the use of Samas grew when it comes to ransomware infections. The FBI warned, “Many of the executables and tools used in this intrusion are available for free through Windows or open-source projects. The malware encrypts most file types with the strong encryption algorithm RSA-2048.”
According to security experts, Samas can infect files on removable drives, mapped and unmapped network shares – just like the Locky ransomware variant. It is not the first time that enterprises were targeted by the SamSam ransomware. A number of security experts believe the ransomware was used to disrupt the systems of Medstar Health – although they did not confirm or deny the reports immediately.
Comprehensive multi-device protection for you and your family for up to 6 PCs, Macs, Android, and iOS devices. For more info click here.
