Spurred by the recent discovery that the Samas (aka SamSam) ransomware is being spread via compromised servers running out-of-date versions of Red Hat’s JBoss server software, Cisco Talos researchers have begun scanning the Internet for machines that might be at risk.
They found approximately 3.2 million vulnerable machines, but also a considerable number of those that are already compromised: 2,100 backdoors have been already been installed across nearly 1600 IP addresses.
Another way into the compromised systems was through a vulnerability in Destiny, a library management system by Follett. This vulnerability has already been patched and customers were urged to implement the patch.
“We’ve learned that there is normally more than one webshell on compromised JBoss servers and that it is important to review the contents of the jobs status page,” the researchers noted.
“We’ve seen several different backdoors including ‘mela’, ‘shellinvoker’, ‘jbossinvoker’, ‘zecmd’, ‘cmd’, ‘genesis’, ‘sh3ll’ and possibly ‘Inovkermngrt’ and ‘jbot’. This implies that that many of these systems have been compromised several times by different actors.”
A webshell is a script that can be uploaded to a web server to enable remote administration of the machine. This access allows attackers to issue commands, escalate privileges, etc, and can result in the theft of sensitive data, malware installation, the server becoming part of a command-and-control infrastructure, and so on.
According to Cisco researchers, the compromised systems are distributed across schools, governmental organizations, various companies, and they have all be informed of this.
They have been advised to remove external access to the server and to re-image the system and install updated versions of the software.
“If for some reason you are unable to rebuild completely, the next best option would be to restore from a backup prior to the compromise and then upgrade the server to a non-vulnerable version before returning it to production,” the researchers added.
Cisco also shared an incomplete list of indicators of compromise, and Snort rules to address the threat of JBoss server vulnerabilities, webshells, and the Samas ransomware.
As reported before, the attackers slinging the Samas ransomware are using the JexBoss tool to automate the discovery of vulnerable systems, so admins are advised to check their machines for compromise and patch them ASAP.