Out –of-date software may not seem like the biggest problem in the world, but a new report from information security researchers find that it may be responsible for putting more than 3 million servers at risk of ransomware attacks. In fact, the researchers found just over 2,100 backdoors installed across nearly 1,600 separate networks belonging to schools, governments, aviation companies, and others.
The threat of ransomware, an attack in which a hacker takes control of a machine and threatens to wipe its data if not paid a ransom, has grown dramatically in recent years. But the practice of targeting servers rather than individual machines appears to be a relatively new development.
A New Threat
The warning comes from Talos, a threat intelligence group owned by Cisco. According to the group, the vulnerabilities they uncovered were the result of backdoors in out-of-date versions of the JBoss enterprise server, a Java-based portfolio of enterprise middleware developed by Red Hat. Talos said it had been investigating the possibility of JBoss vectors following the recent ransomware campaign attacking servers with the Samsam malware package.
“Targeting vulnerabilities in servers to spread ransomware is a new dimension to an already prolific threat,” Talos wrote in a blog post Friday. “As part of this investigation, we scanned for machines that were already compromised and potentially waiting for a ransomware payload. We found just over 2,100 backdoors installed across nearly 1600 IP addresses.”
Some of the compromised servers belonged to schools running Follett’s Destiny software, a content management system that keeps track of school library books and other items, Talos said. Follett immediately issued a fix for the vulnerability. The researchers said it was “imperative” that all Destiny users install the patch.
As a result of its investigation, Talos said it found a number of webshells on compromised servers. Webshells act as control panels for servers, but they can also be used by malicious actors to remotely control systems. The group said it found that compromised servers running JBoss typically had more than just one webshell installed.
“We’ve seen several different backdoors including ‘mela,’ ‘shell invoker,’ ‘jbossinvoker,’ ‘zecmd,’ ‘cmd,’ ‘genesis,’ ‘sh3ll’ and possibly ‘Inovkermngrt’ and jbot,'” the company wrote on its blog. “This implies that that many of these systems have been compromised several times by different actors.”
The Webshell Threat
Talos said that webshells are a major security concern since they can indicate that an attacker has already compromised a server and can control it remotely. As a result, a compromised Web server could be used to pivot and move laterally within an internal network.
The group recommended that enterprises take down any servers that have been compromised immediately, as they could be misused in a number of ways. Servers hosing JBoss, for example, were heavily involved in the recent Samsam attacks, Talos said. Admins who discover webshells on their servers should first remove external access to the servers to prevent hackers from accessing the compromised machines remotely.
Ideally, enterprises should also re-image compromised systems and install updated versions of all software to deny hackers future access, according to Talos. Barring that, the group recommended restoring from a backup prior to the compromise, followed by an upgrade of the servers to non-vulnerable versions before returning them to production.