Out in “the wild,” hackers used to engage in drive-by attacks. Those attacks included email deceptive phishing attacks or booby-trapped links, which allow hackers to make the victim’s computer its slave.
However, according to a recent InfoWorld.com piece, the crooks have found a way to come in through the “back door.” They come in through the server and spread their mischief laterally.
Cisco System discovery: 3.2 million vulnerable web servers
The pathway, as discovered by experts at Cisco Systems, was through some outdated Java software known as JBoss. JBoss Backdoor is widely used by hospitals, libraries, educational organizations, the government, aviation companies, and more.
According to one SoftPedia.com news piece, after a preliminary investigation, Cisco found that a whopping 3.2 million web servers were running the unpatched server application JBoss. Subsequent searches disclosed over 2,000 compromised servers ready for an insidious new version of Ransomware known as SamSam.
How SamSam gets in
Hijackers exploit the JBoss application server with an open-source penetration tool known as JexBoss. The JexBoss Exploit Tool can be used to test vulnerabilities, and its presence on a user’s system typically indicates malicious activity. The malicious outcome is another chapter in the growing spread of Ransomware.
SamSam is different. It targets servers and opens the aforementioned back door. It ignores user or data files and goes straight for the server where typically mission-critical applications are encrypted and frozen until the victim pays the ransom. Unlike its evil twins, which rely on phishing campaigns and clicks on malicious links, according to one Talosintel.com blog:
“This particular family seems to be distributed via compromising servers and using them as a foothold to move laterally through the network…”
The Ransomware spreads laterally to every connected device. Once the Ransomware is planted, SamSam gets to work and encrypts multiple Windows systems.
Patching JBoss-based Systems
One InfoWorld piece has the best advice in its title: “Patch JBoss now to prevent SamSam ransomware attacks.” Evidence of compromise are the aforementioned presence of JexBoss and the presence of more than one installed webshell, “suggesting that the systems have been repeatedly compromised by different actors…”
Users should take the following steps:
1. Take a look at the server’s jobs status page and look for any suspicious activity.
2. If the review discloses multiple webshells, the system needs to be taken off line.
3. The ideal option would be to re-image the system and restore the latest versions of all the system software.
4. For organizations who cannot rebuild their system from scratch, the best option is restoring the system to a point in time prior to the compromise.
5. Upgrade the server to a clean version of the JBoss application.
There is a consistent message in fighting the spread of ransomware through the back door. It is to immediately patch software as soon as the vendor assesses vulnerability. The second “silver bullet” against any malware is secure and reliable backups that are both offsite and run independently from the network.
As one example, Red Hat’s JBoss 4.x and 5.x are productive server business applications, which Red Hat patched about six years ago. The bad news is that many organizations are still using those older versions and have not applied the patch. That neglect makes them vulnerable to ransomware.
The sobering message from Cisco is that once the malware takes control of your server, it can do anything it wants, “including loading more tools.” Those tools could involve everything from spreading denial of service attacks to massive disclosure of sensitive personal information.
Need more help?
Whether you’re seeking a security upgrade or are interested in learning more about IT managed services, Global Data Systems, Inc. is the trusted choice. We’ll help you to stay ahead of the latest information security and technology tips, tricks, and news. Contact us at (888) 849-6818 or send us an email at info@GDSConnect.com for more information.