Cisco Talos Warns Of Ransomware Campaign From JBoss Backdoors | Hacked: Hacking Finance
user

Cisco Talos Warns Of Ransomware Campaign From JBoss Backdoors

Introduction

Lester Coleman

Lester Coleman

Lester Coleman is a veteran business journalist based in the United States. He has covered the payments industry for several years and is available for writing assignments.


LATEST POSTS

Bitcoin Giant Bitmain Enters the High Stakes AI Race 27th August, 2017

Three Country Exchange Traded Funds Offer Potential For Investors 27th August, 2017

Breaches

Cisco Talos Warns Of Ransomware Campaign From JBoss Backdoors

Posted on .
This article was posted on Tuesday, 21:21, UTC.

Cisco’s Talos announced in a blog Friday that 3.2 million machines globally are at risk of a Samsam ransomware attack. Cisco Talos claims systems are at risk from unpatched versions of JBoss.

// -- Discuss and ask questions in our community on Workplace. Don't have an account? Send Jonas Borchgrevink an email -- //

Cisco’s IR Services Team received information about the attack from a recent customer engagement and began examining the JBoss vectors used as the initial compromise point. The team scanned the Internet for vulnerable machines and uncovered about 3.2 million machines at risk.

The teams scanned machines already compromised that were waiting for a ransomware payload and discovered more than 2,100 backdoors installed in about 1,600 IP addresses.

Cisco Talos has been advising governments, schools, aviation companies and other organizations about the threat.

// -- Become a yearly Platinum Member and save 69 USD and get access to our secret group on Workplace. Click here to change your current membership -- //

Follett ‘Destiny’ Software At Risk

A number of the systems had Follet “Destiny” software installed, a library management system that tracks school library assets used mainly in K-12 schools worldwide.

Cisco Talos notified Follett, which explained a patching system that patches systems from version 9.0-13.25 and captures any non-Destiny files on the system to assist in removing backdoors on the system.

Follett will contact customers that have suspicious files. Given the threat’s extensive reach, it is critical that all Destiny users ensure they have utilized the patch.

Follett asked Cisco Talos to tell customers that based on its internal security monitoring, Follet identified the issue and instantly moved to address and close the vulnerability. Follett said it takes data security seriously and continuously monitors systems for threats.

Webshells To Be Analyzed

Cisco Talos and Follett will continue working together to analyze webshells discovered on compromised servers and will ensure that customers are aware of how to best protect their networks.

Cisco Talos has realized there is more than one webshell on compromised JBoss servers and that it is critical to review the jobs status page contents.

Cisco Talos said it has seen various backdoors including “jbossinvoker,” “cmd,” “sh3ll,” “mela,” “genesis,” “shellinvoker,” and possibly “jobt” and “Inovkermngrt.” Many of these systems have been compromised by different actors several times.

Webshells are a significant security issue since it indicates an attacker has compromised the server and can control it remotely. A compromised web server can pivot and move laterally within a network.

A compromised host should be immediately taken down since it can be abused in various ways.

Also read: FBI seeks help from US businesses to fight ransomware

Resources Are Available

Software for the shell itself can be found at the following site:https://github.com/joaomatosf/jexboss

If a webshell has been installed on a server, the first step is to remove external access to the server to prevent adversaries from accessing it remotely. The user should also re-image the system and install updated versions of the software.

If it is not possible to completely rebuild, the next best option is to restore from a backup prior to the compromise and upgrade the server to a non-vulnerable version prior to returning it to production.

Running a reputable antivirus is also recommended.

Patching A Part Of Maintenance

Patching is a key aspect of software maintenance that is often neglected by both software makers and users. Any failures along the chain will result in the success of an attack.

Snort rules address the threat. The most current rule information can be found at the FireSIGHT Management Center of Snort.org.

Snort rules include:
• JBoss Server Vulnerabilities: 18794, 21516-21517, 24342-24343, 24642, 29909
• Web Shell: 1090,21117-21140,23829,23830,27729-27732,27966-27968,28323,37245
• Samas: 38279,38280, 38304,38360,38361

Additional rules can be released at a future date and existing rules are subject to change pending additional information. The most current rule information can be found at the FireSIGHT Management Center of Snort.org.

US-CERT has published an advisory concerning webshells. To access the advisory, go to: https://www.us-cert.gov/ncas/alserts/TA15-314A

Featured image from Shutterstock.

Important: Never invest money you can't afford to lose. Always do your own research and due diligence before placing a trade. Read our Terms & Conditions here.



Feedback or Requests?

Lester Coleman

Lester Coleman

Lester Coleman is a veteran business journalist based in the United States. He has covered the payments industry for several years and is available for writing assignments.

There are no comments.

View Comments (0) ...
Navigation
The team:
Dmitriy Lavrov
Analyst
Dmitriy Lavrov is a professional trader, technical analyst and money manager with 10 years of trading experience. He covers Forex, Commodities and Cryptocurrencies. He is among the top 10 most Read More
Jonas Borchgrevink
Founder
Jonas Borchgrevink is the founder of Hacked.com and CryptoCoinsNews.com. He is a serial entrepreneur, trader and investor. He shares his own personal journey on Hacked.com. // -- Discuss and ask Read More
Mate Csar
Analyst
Trader and financial analyst, with 10 years of experience in the field. An expert in technical analysis and risk management, but also an avid practitioner of value investment and passive Read More
Mati Greenspan
Analyst
Senior Market Analyst at Etoro.com. // -- Discuss and ask questions in our community on Workplace. Don't have an account? Send Jonas Borchgrevink an email -- // Important: Never invest Read More
Rakesh Upadhyay
Analyst
Rakesh Upadhyay is a Technical Analyst and Portfolio Consultant for The Summit Group. He has more than a decade of experience as a private trader. His philosophy is to use Read More
Pamela Meropiali
Account Manager
Pamela Meropiali is responsible for users on Hacked.com. // -- Discuss and ask questions in our community on Workplace. Don't have an account? Send Jonas Borchgrevink an email -- // Read More
Joseph Young
Journalist
Joseph Young is a finance and tech journalist & analyst based in Hong Kong. He has worked with leading media and news agencies in the technology and finance industries, offering Read More
Apple Inc. has asked a federal judge to reject the…