A deeper probe into the JBoss server vulnerabilities linked to recent Samsam ransomware attacks has uncovered 3.2 million unpatched machines that are potentially susceptible to this attack vector.
Researchers at Cisco's Talos division published the findings after scanning the Internet late last month for systems vulnerable to the JexBoss open-source exploit tool, which is capable of compromising JBoss servers and uploading malware without any action on the part of the user. Once attackers upload malicious webshells to a vulnerable server, they can begin to laterally move through the network, further infiltrating it.
“This is almost a throwback to an earlier time when server-side vulnerabilities were much more prevalent [as a threat] than they are today,” said Matthew Olney, manager of threat intelligence analytics at Talos, in an interview with SCMagazine.com. “I think maybe there are some people who have forgotten that this works as a viable mechanism to get into places.”
Apparently, people are starting to remember. In April, Talos began the next phase of its research, scanning for backdoors to find JBoss servers that had already been comprised via JexBoss. Sure enough, researchers discovered over 2,100 backdoors in servers installed across 1,600 IP addresses linked to schools, governments, aviation companies and other entities.
Among the oddities Talos discovered was an unusual number of K-12 educational institutions, whose JBoss servers had been infected with backdoors — many of them running Destiny library management software from Westchester, Ill.-based Follett Corporation. According to Olney, when Follett was contacted, the company was already aware of a flaw in its own software that made users especially prone to infection via JexBoss, and had patched its product.
Follett issued its own statement through Talos, which was also republished on Follett's website: “Based on our internal systems security monitoring and protocol, Follett identified the issue and immediately took actions to address and close the vulnerability on behalf of our customers. Follett takes data security very seriously and as a result, we are continuously monitoring our systems and software for threats, and enhancing our technology environment with the goal of minimizing risks for the institutions we serve.”
Likewise, JBoss owner Red Hat frequently issues its own security patches. Unfortunately, institutions that fail to regularly update their machines continue to leave themselves open to attack.
During its research, Talos generally discovered more than one malicious webshell on an infected server, suggesting that multiple bad actors are actively leveraging JaxBoss to exploit JBoss vulnerabilities. Among the backdoors identified during the sweep were "mela", "shellinvoker", "jbossinvoker", "zecmd", "cmd", "genesis," "sh3ll" and possibly "Inovkermngrt" and "jbot." While JBoss vulnerabilities have been prominently associated with Samsam or Samas ransomware, Olney said there were often additional backdoors created to enable anything from DDoS attacks to bitcoin mining.
Olney told SCMagazine.com that the JexBoss toolkit executes three distinct phases of compromise. First, it uses an IP scanner to find servers that are vulnerable to its coding, then it installs a backdoor, and finally it creates an interface for adversaries to leverage that backdoor to pull off a variety of cyber campaigns. “It's a fairly one-stop shop for attacking JBoss servers,” said Olney.
Talos recommended that infected companies fully re-image and update their systems and software, or restore a clean version of their systems using a back-up. Until then, compromised hosts are advised to eliminate all external network access to prevent bad actors from remotely taking control and causing further damage.