JBOSS Backdoor opens 3 million servers at risk of attacks

Experts at Cisco Systems discovered more than 3 million vulnerable servers exposed on the Internet while scanning for the presence of JBOSS Backdoor

According to Cisco Systems, more than 3 million servers exposed on the Internet are potentially open to Samsam ransomware-based attacks because they’re running vulnerable software.

Attackers are targeting vulnerabilities in servers to spread ransomware, the experts from the Cisco IR Services Team discovered that hackers were using the JBoss as a vector for the infections.

“we began looking deeper into the JBoss vectors that were used as the initial point of compromise. Initially, we started scanning the internet for vulnerable machines. This led us to approximately 3.2 million at-risk machines.” wrote the Cisco researchers in a blog post.

The experts started their investigation by scanning for machines that were already compromised.

The web scanning activity allowed the researchers to discover about 2,100 compromised servers belonging to schools, governments, aviation companies, and other types of organizations. The hackers installed webshells to maintain the control over the infected systems.

Several of the compromised systems were running the Follett “Destiny” software, a management system commonly used by many school libraries to keep track of books.

Cisco reported the issue to the Follett Learning that develops the software and the company solved the vulnerability. The updated Destiny software is able to scan machines for signs of infection and removes any backdoors that was installed by attackers.

Experts at CISCO provided a series of recommendations to remove webshell from compromised servers.

“Our first recommendation, if at all possible, is to remove external access to the server. This will prevent the adversaries from accessing the server remotely. Ideally, you would also re-image the system and install updated versions of the software. This is the best way to ensure that the adversaries won’t be able to access the server.” states the blog post published by CISCO. “If for some reason you are unable to rebuild completely, the next best option would be to restore from a backup prior to the compromise and then upgrade the server to a non-vulnerable version before returning it to production.”

Give a look to the post, it also includes some indicators that are associated with the presence of various webshells.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – JBoss, hacking)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.