Cisco’s IR Services Team received information about the attack from a recent customer engagement and began examining the JBoss vectors used as the initial compromise point. The team scanned the Internet for vulnerable machines and uncovered about 3.2 million machines at risk.
The teams scanned machines already compromised that were waiting for a ransomware payload and discovered more than 2,100 backdoors installed in about 1,600 IP addresses.
Cisco Talos has been advising governments, schools, aviation companies and other organizations about the threat.
Follett ‘Destiny’ Software At Risk
A number of the systems had Follet “Destiny” software installed, a library management system that tracks school library assets used mainly in K-12 schools worldwide.
Cisco Talos notified Follett, which explained a patching system that patches systems from version 9.0-13.25 and captures any non-Destiny files on the system to assist in removing backdoors on the system.
Follett will contact customers that have suspicious files. Given the threat’s extensive reach, it is critical that all Destiny users ensure they have utilized the patch.
Follett asked Cisco Talos to tell customers that based on its internal security monitoring, Follet identified the issue and instantly moved to address and close the vulnerability. Follett said it takes data security seriously and continuously monitors systems for threats.
Webshells To Be Analyzed
Cisco Talos and Follett will continue working together to analyze webshells discovered on compromised servers and will ensure that customers are aware of how to best protect their networks.
Cisco Talos has realized there is more than one webshell on compromised JBoss servers and that it is critical to review the jobs status page contents.
Cisco Talos said it has seen various backdoors including “jbossinvoker,” “cmd,” “sh3ll,” “mela,” “genesis,” “shellinvoker,” and possibly “jobt” and “Inovkermngrt.” Many of these systems have been compromised by different actors several times.
Webshells are a significant security issue since it indicates an attacker has compromised the server and can control it remotely. A compromised web server can pivot and move laterally within a network.
A compromised host should be immediately taken down since it can be abused in various ways.
Resources Are Available
Software for the shell itself can be found at the following site:https://github.com/joaomatosf/jexboss
If a webshell has been installed on a server, the first step is to remove external access to the server to prevent adversaries from accessing it remotely. The user should also re-image the system and install updated versions of the software.
If it is not possible to completely rebuild, the next best option is to restore from a backup prior to the compromise and upgrade the server to a non-vulnerable version prior to returning it to production.
Running a reputable antivirus is also recommended.
Patching A Part Of Maintenance
Patching is a key aspect of software maintenance that is often neglected by both software makers and users. Any failures along the chain will result in the success of an attack.
Snort rules address the threat. The most current rule information can be found at the FireSIGHT Management Center of Snort.org.
Snort rules include:
• JBoss Server Vulnerabilities: 18794, 21516-21517, 24342-24343, 24642, 29909
• Web Shell: 1090,21117-21140,23829,23830,27729-27732,27966-27968,28323,37245
• Samas: 38279,38280, 38304,38360,38361
Additional rules can be released at a future date and existing rules are subject to change pending additional information. The most current rule information can be found at the FireSIGHT Management Center of Snort.org.
US-CERT has published an advisory concerning webshells. To access the advisory, go to: https://www.us-cert.gov/ncas/alserts/TA15-314A
Featured image from Shutterstock.