Cisco Talos threat-Intelligence organization has revealed that more than 2,000 machines at schools and other organizations have been infected with malware in unpatched versions of JBoss creating a vulnerable access point that could be used at any moment to install Ransomware such as SamSam. The threat intelligence organization announced that roughly 3.2 million machines worldwide are at risk due to the said vulnerability. Governments and aviation companies are also among the organizations affected.
JBOS is a division of Red Hat that provides support for the JBoss open source application server program and related services marketing under the JBoss Enterprise Middleware Suite brand. JBoss servers are proving as an open source alternative to commercial offerings such as IBM WebSphere, Oracle BEA services, and SAP NetWeaver.
Cisco Talos reports that the infected machines are running Follett’s Destiny Library Management software, used by K-12 schools worldwide.
As soon as the news erupted on social media, Follett identified the issue and said to have immediately addressed it.
Follett has provided patches and also issued a public statement that its technical support staff will reach out to customers found to have suspicious files on their JBoss server systems.
JBoss servers when compromised will contain more than one Web Shell. Web Shell’s are small programs or scripts that can be uploaded to a vulnerable server and then opened from the browser to gain web based interface to run system commands. The presence of such scripts often leads to a fact that the server has been hacked and is being remotely controlled.
Talos advised that the IT admin should review the contents of a server’s job status page and as soon as they discover a web shell, should begin the cleanup by removing external access to the server.
Ideally, users should also re-image the system and install updated versions of the software. If they are not in a position to do so, they should rebuild the system completely using a backup done prior to the compromise and then upgrade the server to a non-vulnerable version before returning it to the production.
Ransomware has the potential to spread through unsolicited downloads and spam mails with malicious attachments, asking targets to pay a ransom in bitcoins.
MedStar Health, a non-profit organization that runs 10 hospitals in the Washington, DC was the latest victim of SamSam ransomware.
DNF Corporation can help in raising your organizations server security.
Contact DNF Data Security web page for more details.