Hardest hit have been K-12 schools running library management software published by Follett called Destiny, Cisco said. The Destiny software is used by 60,000 schools, and Follett warned customers on Friday of an undisclosed number of servers running its software that have already been infected with backdoors that could be exploited by attackers. Follett has also released a patch that fixes the problem.
Cisco, which is working with Follett, said attackers are using a JBoss-specific exploit tool called Jexboss to compromise servers. The JBoss vulnerability, according to Cisco Talos, has been used to drop a number of webshells and backdoors, including “mela”, “shellinvoker”, “jbossinvoker” and “jbot,” among others, meaning the machines have likely been compromised over and over.
“Over the last few days, Talos has been in the process of notifying affected parties including schools, governments, aviation companies, and more,” it wrote in a statement.
JBoss is middleware made by Red Hat that includes enterprise-class software used to create and integrate applications, data, and devices; and automate business processes. The JBoss vulnerability goes back five years (CVE-2010-0738), at which point Red Hat issued a patch in 2010 that fixed the vulnerability. Since then Red Hat renamed JBoss to WildFly. Still, many organizations are dependent on older version of JBoss (4.x and 5.x) because applications were developed based on those previous versions.
“So far, these vulnerabilities appear to be related to unpatched servers,” wrote Red Hat in a statement to Threatpost.
As for SamSam, the latest variant of the ransomware has upped its potency, according security experts, and is uniquely suited to target JBoss vulnerabilities. Samsam was recently updated by attackers who are now targeting server vulnerabilities as opposed to their past modus operandi – spam-based macro attacks and driving traffic to websites that contain exploit kits.
Schools are a particularly vulnerable target, said Cisco Talos because they are notorious for grappling with budgetary constraints, and likely fall short securing servers and endpoints. Approximately 30 percent of schools vulnerable to attacks are located in the U.S., according to Talos.
“Given the severity of this problem, a compromised host should be taken down immediately as this host could be abused in a number of ways,” Cisco Talos wrote in a bulletin. “These servers are hosting JBoss which has been recently involved in a high profile ransomware campaign.”
Researchers point out that while SamSam ransomware is currently the most likely form of a JBoss attack, by no means is it the only headache. Cisco Talos said attacks aren’t limited to ransomware. “Once the actor controls the server, they can do anything they want, including loading more tools,” it wrote. Attacks also have included using a compromised server as a launch pad for a DDOS attack or to use the server resources to mine for Bitcoin.
After successful exploitation, the common action among attackers is to install a web shell backdoor on the server. This allows them to easily run commands on the server. If you find that a web shell has been installed on a server, Cisco Talos said remove external access to the server, re-image the system and install updated versions of the software.