According to Cisco Systems, more than 3 million servers exposed on the Internet are potentially open to Samsam ransomware-based attacks because they’re running vulnerable software.
Attackers are targeting vulnerabilities in servers to spread ransomware, the experts from the Cisco IR Services Team discovered that hackers were using the JBoss as a vector for the infections.
“we began looking deeper into the JBoss vectors that were used as the initial point of compromise. Initially, we started scanning the internet for vulnerable machines. This led us to approximately 3.2 million at-risk machines.” wrote the Cisco researchers in a blog post.
The experts started their investigation by scanning for machines that were already compromised.
The web scanning activity allowed the researchers to discover about 2,100 compromised servers belonging to schools, governments, aviation companies, and other types of organizations. The hackers installed webshells to maintain the control over the infected systems.
Several of the compromised systems were running the Follett “Destiny” software, a management system commonly used by many school libraries to keep track of books.
Cisco reported the issue to the Follett Learning that develops the software and the company solved the vulnerability. The updated Destiny software is able to scan machines for signs of infection and removes any backdoors that was installed by attackers.
Experts at CISCO provided a series of recommendations to remove webshell from compromised servers.
“Our first recommendation, if at all possible, is to remove external access to the server. This will prevent the adversaries from accessing the server remotely. Ideally, you would also re-image the system and install updated versions of the software. This is the best way to ensure that the adversaries won’t be able to access the server.” states the blog post published by CISCO. “If for some reason you are unable to rebuild completely, the next best option would be to restore from a backup prior to the compromise and then upgrade the server to a non-vulnerable version before returning it to production.”
Give a look to the post, it also includes some indicators that are associated with the presence of various webshells.
(Security Affairs – JBoss, hacking)