{"id":15138,"date":"2016-04-25T15:33:24","date_gmt":"2016-04-25T15:33:24","guid":{"rendered":"https:\/\/kasperskydaily.com\/b2b\/?p=5495"},"modified":"2020-02-27T04:03:00","modified_gmt":"2020-02-26T17:03:00","slug":"jboss-flaw","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com.au\/blog\/jboss-flaw\/15138\/","title":{"rendered":"3.2m servers are possible targets for a ransomware campaign"},"content":{"rendered":"

3.2 million servers fall victim to an old and now heavily exploited vulnerability. Cisco\u00a0released<\/a> a formidable heads-up earlier this month, stating that over 3\u00a0million servers are vulnerable to the JBoss flaw, with many already backdoored.<\/p>\n

JBoss (currently WildFly) is middleware produced by Red Hat<\/a> that includes enterprise-class software used to create and integrate applications, data and devices, and automate business processes. The vulnerability in question is five years old (i.e. really old), and the patch has been available since 2010. Red Hat has even renamed JBoss since then.<\/p>\n

Still, as an example of \u201cIT renewal reluctance<\/a>\u201c, a malady very characteristic for larger businesses, the old and vulnerable versions of JBoss are still around because of the custom applications based on those versions.<\/p>\n

This old flaw has been used by the actors behind the massive ransomware campaign codenamed SamSam<\/a>. Unlike many others, SamSam is targeting servers specifically. As of the end of March, hospitals were the primary victims of the attacks, however later it was discovered that hackers have used the very same vulnerability to backdoor a large number of schools (primarily in the U.S.).<\/p>\n

According to Threatpost<\/a>, the hardest hit have been K-12 schools running library management software called Destiny by Follett.<\/p>\n

Attackers are using a JBoss-specific exploit tool called Jexboss to compromise servers. According to Cisco Talos researchers, the JBoss vulnerability has been used to drop a number of webshells and backdoors, including \u201cmela\u201d, \u201cshellinvoker\u201d, \u201cjbossinvoker\u201d and \u201cjbot,\u201d among others, meaning the machines have likely been compromised over and over.<\/p>\n

Server-side ransomware is, mildly put, a troubling\u00a0development. Unlike the more common type where the endpoints are hit, a ransomware attack requires at least some cooperation from a gullible user. Server-side ransomware does not require it: attackers have many\u00a0chances to go in undetected, while the damage inflicted to the internal infrastructure of the affected company may be much more extensive than with \u201ccommon\u201d ransomware.<\/p>\n

SamSam actors successfully identified the key data systems for them to encrypt, to have more chances for successful extortion.<\/p>\n

Hospitals were targeted because of a popular perception they have substandard cybersecurity and often rely on obsolete technology (Securelist recently published a great piece on hospital security<\/a> \u2013 things aren\u2019t encouraging there).<\/p>\n

However, medical facilities \u2013 and schools \u2013 aren\u2019t the only possible targets for attacks like these, and we\u2019ll definitely hear more about it. 3.2 million vulnerable servers is a formidable figure on its own.<\/p>\n

JBoss vulnerability in question is described at this link<\/a>, along with the appropriate patch.\u00a0Follett company also released<\/a> its own advisory on a problem with Destiny, which offers the following recommendations.<\/p>\n