14 DAY TRIAL // An aggressive ransomware distribution campaign has brought to Cisco security researchers' attention a vulnerability in the JBoss Java application platform that attackers seem to be using to break into enterprise servers and then spread ransomware to all connected clients.
The SamSam ransomware (initially known as Samas) was first detected by Microsoft in the middle of March, when the FBI also sent out an alert to all companies about a new threat utilizing a flaw in JBoss to infect their infrastructure.
After Intel and then Cisco both released reports and technical write-ups on how the ransomware authors operated, it became apparent that the initial clues discovered by Microsoft and the FBI were true and that crooks were exploiting vulnerabilities in older JBoss platforms running on servers in the public and private sectors.
Cisco continued to investigate, discovered more infected servers
Following their initial investigation, Cisco carried out thorough research on the prevalence of this JBoss vulnerability, a de-facto backdoor into any server running the JBoss platform.
Their study indicated that around 3.2 million Web servers were running outdated JBoss versions. Since Cisco got hold of some of the files left behind after exploiting this backdoor, they could also further scan these 3.2 million servers for the presence of the backdoor in an inactive state.
This second search yielded 2,100 already-compromised servers, running on 1,600 different IPs, just waiting for the ransomware authors to turn their attention to them and deliver a ransomware payload.
From the brief look at the compromised servers, Cisco says that they belong to schools, governments, aviation companies, and more.
Other backdoors were also discovered
Besides the files specific to previous SamSam ransomware infections, researchers say they also found other well-known backdoors, such as "mela," "shellinvoker," "jbossinvoker," "zecmd," "cmd," "genesis," "sh3ll," and possibly "Inovkermngrt" and "jbot."
The presence of these other backdoors indicates that the SamSam ransomware operators are not the only crooks knowing and leveraging JBoss' vulnerabilities.
Once they discovered these threats, Cisco started notifying all affected parties. In a large number of cases, the affected servers belonged to schools that deployed JBoss as part of a Library Management System called Destiny, created by a company called Fellot.
While normally this would be the moment when we would present the appalling lack of professionalism of a company that put together a bad piece of software and later failed to respond to security researchers, this is actually the exact opposite case.
Cisco says that Fellot was running one of the most impressive patching systems they have seen and was able to patch all their software versions between 9.0 and 13.5, upgrading JBoss for their clients to avoid exploitation. They even captured non-Destiny files from the users' servers, effectively removing the backdoors from all their customers.
Backdoor was based on an open source JBoss server testing tool
Inspecting these files, Cisco was able to track the backdoor's code to a JBoss penetration testing tool called JexBoss, which was open-sourced on GitHub a while back.
Following their discovery, US-CERT issued a global advisory recommending all administrators to comb through their Web servers in search of webshells.
Just yesterday, IBM also revealed the actions of another threat group that was utilizing the C99 PHP webshell to hijack servers via vulnerabilities in older WordPress plugins.