JBoss – is middleware, now developed by Red Hat. It includes enterprise-class software that is used to create and integrate applications, data and devices, as well as to automate business processes.
According to Cisco Talos, the vulnerability used as an entry point for ransomware SamSam, is present in 3.2 million JBoss applications servers. Moreover, the researchers found that thousands of such servers are already equipped with a convenient backdoor.
According to Cisco, the worst situation is in American secondary schools, which are running the program K-12 (complete secondary education, from kindergarten to 12th grade) and using the Destiny software by Follet, designed to provide access to the resources of school libraries. Destiny management system use more than 60 thousand schools and Follet has notified customers that some of their servers have backdoor that allows to perform a cyber-attack. Follet has already released a patch to fix the problem.
Cisco experts who participated in the creation of the patch, note that attackers use special tool called Jexboss, which helps them to compromise the JBoss servers. Exploit of specific vulnerability allows hackers to install a web-shell and backdoors, including mela, shellinvoker, jbossinvoker and jbot, and infection are renewed over and over again.
The vulnerability found in JBoss (CVE-2010-0738) was discovered more than 5 years ago and it was immediately patched. During that time, JBoss was renamed to WildFly, however many companies are still using the old versions of JBoss (4.x and 5.x), because most of their applications were created with the help of old versions of JBoss.
Regarding SamSam, it is one of the latest ransomware designed exclusively to exploit vulnerabilities of JBoss servers. Most of the education places, such as schools and universities are at great risk. According to experts, about 30% of schools, located in the USA, are vulnerable to such attacks.
The researchers also noted that, currently the most likely form of attack can be SamSam, it is not the only threat. Once getting control of the server, an attacker can do whatever he wants, including downloading additional tools. A compromised server can also be used for DDoS attacks, bitcoins mining or can be used as a botnet.
If you detect a backdoor, experts recommend to block the external access to the JBoss server and create a new image of the system and install the latest version of the software.