Ransomware exploiting unpatched JBoss servers, warns Cisco

About 3.2 million servers running unpatched versions the open source JBoss application server are at risk of hosting and delivering ransomware, according to researchers at Cisco Systems. But the company also warns that a group of them are at very high risk.

“We found just over 2,100 backdoors installed across nearly 1,600 ip addresses,” the company said in a blog posting on Friday. Specifically, a number of these systems had Follett Corp.’s Destiny library management system for tracking school library assets.

Follett quickly created a system that not only patches all systems from version 9.0-13.5, but also captures any non-Destiny files that were present on a server to help remove any existing backdoors. “It is imperative, given the wide reach of this threat, that all Destiny users ensure that they’ve taken advantage of this patch,” says Cisco.

JBoss is a Java EE-based server, originally developed by JBoss LLC but since 2006 owned by Red Hat Inc. Cisco warned at the end of March that attackers had found a vulnerability in it to upload a webshell for remote control of the server. Often attackers use JexBoss, an open source hacking tool for testing and exploiting JBoss application servers, to find servers they can leverage. Once inside the network the SamSam ransomware is uploaded, which then spreads to Windows PCs.

The discovery of the JBoss problem came after a “customer engagement,” Cisco said, which led it to scan the Internet for vulnerable servers.

“In this process we’ve learned that there is normally more than one web shell on compromised JBoss servers and that it is important to review the contents of the jobs status page. We’ve seen several different backdoors including “mela”, “shellinvoker”, “jbossinvoker”, “zecmd”, “cmd”, “genesis”, “sh3ll” and possibly “Inovkermngrt” and “jbot”. This implies that that many of these systems have been compromised several times by different actors.”

As this advisory from US-CERT states, web shells can be delivered through a number of web application exploits or configuration weaknesses including cross-site scripting, SQL injection, vulnerabilities in applications/services, file processing vulnerabilities and exposed admin interfaces.

Because they can be easily modified web shells can be difficult to detect. US-CERT says admins should be suspicious of abnormal periods of high site usage (due to potential uploading and downloading activity), files with an unusual timestamp (e.g., more recent than the last update of the web applications installed); suspicious files in Internet-accessible locations (web root); files containing references to suspicious keywords such as cmd.exe or eval; unexpected connections in logs. (For example a file type generating unexpected or anomalous network traffic; and any evidence of suspicious shell commands, such as directory traversal, by the web server process.

If you find evidence of a web shell, disconnect the server immediately from the network.

And to ensure your system isn’t available for any exploit, patch and update all systems as soon as practical.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Articles

Stemming the tide of cybercrime

By: Derek Manky Technology continues to play a significant role in accelerating...

Power through a work-from-anywhere lifestyle with the LG gram

“The right tool for the right job” is an old adage...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now