JBoss Servers: Ransomware Campaign Alert3.2 Million Systems and 2,100 Servers at Risk, Cisco Talos Warns
A series of targeted attacks have been exploiting JBoss application servers as part of a campaign that often then distributes SamSam ransomware, security researchers from Cisco's Talos security group warn. Users of exploited JBoss servers include schools, government agencies and aviation firms, among other organizations, they say.
To date, the researchers' scans of internet-connected systems have identified 2,100 exploited servers that run JBoss - an open source application server program and related services that are maintained by Red Hat - and 3.2 million at-risk endpoints. All are at risk from self-propagating ransomware called SamSam, a.k.a. Samas, MSIL and Kazy, although it's not clear how many might yet have been infected.
As with many other types of ransomware, after locking down networks, servers or systems, SamSam directs victims to pay a ransom, in bitcoins, to receive a decryption key. But Cisco Talos warns that it discovered the JBoss flaws after unraveling a SamSam campaign that's been targeting not just individual endpoints, but entire enterprises, so attackers can demand proportionally larger ransom payments (see Ransomware: Is It Ever OK to Pay?).
Cisco Talos says all of the infected servers were exploited using JexBoss - the "Jboss verify and EXploitation Tool" - "to target unpatched deployments" of JBoss, although it has not specified exactly which JBoss flaws were exploited. JexBoss is freely available from code-sharing site GitHub, after which attackers installed a web shell, which is a script that can be run on a server to enable remote administration of a system and allow attackers to distribute malicious code throughout a network.
"We've learned that there is normally more than one web shell on compromised JBoss servers," Cisco Talos says, which "implies that many of these systems have been compromised several times by different actors," since a group only needs a single web shell to control a system.
Cisco began alerting affected organizations April 11, before publicly releasing details of the flaw, as well as indicators of compromise, on April 15.
Follett Patches Destiny
At least "several" of the exploited JBoss servers were running school library management software called Destiny, which is developed by software vendor Follett, Cisco Talos says. Follett didn't immediately respond to a request for comment about how its software had been exploited. But according to the company's website, it's already issued a patch to eradicate existing exploits and block new ones for the 60,000 K-12 schools globally that use the software.
"Based on our internal systems security monitoring and protocol, Follett identified the issue and immediately took actions to address and close the vulnerability on behalf of our customers," according to a statement released by Follett. "Follett takes data security very seriously and as a result, we are continuously monitoring our systems and software for threats, and enhancing our technology environment with the goal of minimizing risks for the institutions we serve."
Follett takes data security seriously. Learn about JBoss & Destiny https://t.co/DbGkP9uCWjQuestions? Call Follett 888.511.5114, Opt 3.— Follett Learning (@FollettLearning) April 15, 2016
Cisco has urged all Destiny users to immediately install the patch, and also lauded Follett's rapid response. It adds that automatic patch updates have been pushed to all users of Destiny version 9.0 to 13.5, that the update "also captured any non-Destiny files that were present on the system to help remove any existing backdoors on the system," and notes that Follett's technical support team has been contacting customers whose systems appear to have been infected, urging them to immediately update.
Web Shell Alert
Cisco Talos notes that all exploited JBoss servers can be identified in part via the presence of unauthorized web shells, which give attackers remote access to the server and thus - at least in theory - every other system it touches.
For any organizations that discover unauthorized web shells running on a JBoss server, Cisco recommends that whenever possible, they immediately disable external access to the server. "This will prevent the adversaries from accessing the server remotely. Ideally, you would also re-image the system and install updated versions of the software." Failing that, Cisco recommends at least restoring a pre-exploit backup and then upgrading the server "to a non-vulnerable version before returning it to production."
Attackers are increasingly using web shells as part of their exploits. In November 2015, the U.S. Department of Homeland Security's computer emergency response team issued a web shell security alert, warning that it had seen a spate of attacks involving web shells - including such tools as China Chopper, WSO, C99 and B374K - and offering a number of related detection and mitigation recommendations.
"Consistent use of web shells by advanced persistent threat (APT) and criminal groups has led to significant cyber incidents," according to the US-CERT alert, which was issued in conjunction with computer emergency response teams in Australia, Canada, New Zealand and the United Kingdom. "Using network reconnaissance tools, an adversary can identify vulnerabilities that can be exploited and result in the installation of a web shell. ... Once successfully uploaded, an adversary can use the web shell to leverage other exploitation techniques to escalate privileges and to issue commands remotely."
The alert warns that such access can enable attackers to do everything from gain access to other network systems and use the network for botnet command-and-control purposes to exfiltrate data and install malware, including ransomware.
Samas Ransomware Encrypts Via Network
When it comes to ransomware infections, use of Samas has been growing, according to a Feb. 18 FBI flash alert and March 31 alert from US-CERT (see Ransomware Epidemic Prompts FBI Guidance). "Many of the executables and tools used in this intrusion are available for free through Windows or open source projects," the FBI warns. "The malware encrypts most file types with [the strong encryption algorithm] RSA-2048."
Security experts further warn that Samas - like Locky ransomware - can infect files not just stored on removable drives, but also reachable via mapped and unmapped network shares.
The JBoss attack campaign isn't the first time that SamSam has been used to target enterprises. Many security experts also suspect that the ransomware recently disrupted systems at U.S.-based MedStar Health, although the organization has yet to confirm or deny those reports or detail precisely how its systems were hacked.