Credit: shutterstock Cisco Talos researchers say that 3.2 million servers have a JBoss vulnerability that could potentially be exploited by SamSam ransomware. Even more worrying, the researchers found 2,100 backdoors across 1,600 servers that are "already compromised and potentially waiting for a ransomware payload," Cisco Talos wrote.
Attackers used a JBoss-specific exploit called JexBoss — a Jboss verification and exploitation tool — to compromise vulnerable servers and then install webshells and backdoors for remote access. Cisco Talos researchers found that compromised JBoss servers typically have more than one webshell installed, suggesting that the systems have been repeatedly compromised by different actors. The list of webshells include mela, shellinvoker, jbossinvoker, zecmd, cmd, genesis, sh3ll, and jbot. [ Roger Grimes’ free and almost foolproof way to check for malware . | Discover how to secure your systems with InfoWorld’s Security newsletter . ] "Given the severity of this problem, a compromised host should be taken down immediately as this host could be abused in a number of ways," Cisco Talos wrote in a bulletin. This would prevent attackers from accessing the server remotely.
Review the contents of a server’s jobs status page for anything suspicious. If webshells are found, the first step is to remove external access to the server, Cisco Talos said. While the ideal scenario would be to re-image the system and install the latest versions of all the software, some organizations will be unable to rebuild from the ground up.
"The next best option would be to restore from a backup prior to the compromise and then upgrade the server to a non-vulnerable version before returning it to production," Cisco Talos said.
Red Hat’s middleware software lets enterprises automate business processes as well as create and integrate applications, data, and devices. The vulnerability is more than six years old and Red Hat […]
