JBoss vulnerability highlights dangers of unpatched systems
April 22, 2016
Shah Sheikh (1294 articles)

JBoss vulnerability highlights dangers of unpatched systems

As many as 3.2 million computers running unpatched versions of the JBossmiddleware software may be vulnerable to being used as vectors to distribute SamSam and other ransomware, reinforcing the ongoing problem of unpatched systems for enterprises. While scanning for machines with the JBoss vulnerability that had already been compromised, Cisco Talos discovered over 2,100 backdoors installed on systems connected to nearly 1,600 IP addresses.

Talos reported last week that the unpatched versions of JBoss were being exploited by the presence of one or more webshells, which are scripts that can be uploaded to a Web server and which, when executed, enable remote administration of the server. The report is just the latest highlighting the need for organizations to be vigilant about patching production software.

“In this process we’ve learned that there is normally more than one webshell on compromised JBoss servers,” Talos threat researcher Alexander Chiu wrote. “We’ve seen several different backdoors including ‘mela,’ ‘shellinvoker,’ ‘jbossinvoker,’ ‘zecmd,’ ‘cmd,’ ‘genesis,’ ‘sh3ll’ and possibly ‘Inovkermngrt’ and ‘jbot.’ This implies that many of these systems have been compromised several times by different actors.”

Among the affected organizations were schools, governments and aviation companies, as well as others, though several of the infected systems were running Follett Destiny, a management system designed to keep track of school library assets and used in K-12 schools globally. Follett had identified the problem and released a fix that patched the JBoss vulnerability, and was also working with Talos to analyze the webshells being used by attackers.

“Webshells are a major security concern as it indicates an attacker has already compromised this server and can remotely control it,” Chiu wrote.” As a result, a compromised web server could be used to pivot and move laterally within an internal network.”

Talos recommended that compromised systems be taken down as soon as possible, starting by removing access to external networks to prevent attackers from accessing the system, followed by either re-imaging the system or restoring it from backup made prior to the infection and then upgrading the software to a non-vulnerable version before it is put back into production use.

Most important, according to Talos, is making sure software patches are kept up to date. “Attackers aren’t ashamed to exploit old systems — it’s pragmatism over fashion for bad guys turning access into cash,” said Derek Soeder, security researcher at Cylance. “Particularly for indiscriminate attackers, even a small population of vulnerable systems exposed on the Internet is a worthwhile pool of potential victims.”

According to Sean Wilson, researcher at PhishMe, a threat management firm based in Leesburg, Va.,Web frameworks are particularly vulnerable.

“We have seen attacks using webshells for quite some time now, often targeting Web frameworks such as WordPress and Joomla as these are widely deployed and managed by individual users,” Wilson said. “They have mature plug-in ecosystems allowing a deployment to include the base framework, which may not be vulnerable, but several out-of-date plug ins which contain vulnerabilities allowing for exploitation.”

Source | TechTarget