Jump to content

Out-of-date apps put 3 million servers at risk of crypto ransomware infections


Reefa

Recommended Posts

More than 3 million Internet-accessible servers are at risk of being infected with crypto ransomware because they're running vulnerable software, including out-of-date versions of Red Hat's JBoss enterprise application, researchers from Cisco Systems said Friday.

 

About 2,100 of those servers have already been compromised by webshells that give attackers persistent control over the machines, making it possible for them to be infected at any time, the Cisco researchers reported in a blog post. The compromised servers are connected to about 1,600 different IP addresses belonging to schools, governments, aviation companies, and other types of organizations.

 

Some of the compromised servers belonged to school districts that were running the Destiny management system that many school libraries use to keep track of books and other assets. Cisco representatives notified officials at Destiny developer Follett Learning of the compromise, and the Follett officials said they fixed a security vulnerability in the program. Follett also told Cisco the updated Destiny software also scans computers for signs of infection and removes any identified backdoors.

 

As Ars reported last week, attackers pushing crypto ransomware recently escalated their assaults by exploiting vulnerabilities in unpatched versions of JBoss. At the time, Cisco researchers identified about 2 million vulnerable servers. Friday's blog post warning of 3 million susceptible servers suggests the risk has yet to be contained. It's also an indication the threat may get worse still, as vulnerabilities in additional server software are identified.

 

"If you find that a webshell has been installed on a server, there are several steps that need to be taken," Cisco researchers wrote in Friday's post. "Our first recommendation, if at all possible, is to remove external access to the server. This will prevent the adversaries from accessing the server remotely. Ideally, you would also re-image the system and install updated versions of the software." If rebuilding from scratch isn't feasible, the next best option is to restore the system from a backup made before it was compromised and install all available updates before returning the server to production.

 

source

Link to comment
Share on other sites


  • Replies 6
  • Views 748
  • Created
  • Last Reply

What strain  ? Only known  strain on Linux was Linux.Encode.1  and it was easy to crack  . Other than that it's mostly a windows problem.  It has to exist in order for it  to be a outbreak .

http://www.zdnet.com/article/crypto-ransomware-strikes-linux-but-attackers-botch-private-key/

 

EPIC Fail — For the Third Time, Linux Ransomware CRACKED!

http://thehackernews.com/2016/01/linux-ransomware-decryption.html

 

The people who made Linux.Encode.1 are noobs most likey malware writers  for windows they tried 3 times and failed :)

Link to comment
Share on other sites


Figured out  what strain 

 

No mas, Samas

https://blogs.technet.microsoft.com/mmpc/2016/03/17/no-mas-samas-whats-in-this-ransomwares-modus-operandi/

 

Is my JBoss / EAP Server Vulnerable to Samas Ransomware?

 
Quote

 

Solution Verified - Updated -

Environment

  • Red Hat JBoss Enterprise Application Platform 5.x
  • Red Hat JBoss Enterprise Application Platform 4.3.x
  • Red Hat JBoss Enterprise Application Platform 4.2.x
  • Red Hat JBoss SOA Platform (SOA-P) 5.x
  • Red Hat JBoss SOA Platform (SOA-P) 4.3.x

Issue

  • I've read warnings about the Samas ransomware and want to know if I'm vulnerable?
  • The Samas ransomware reportedly uses JBoss servers to conduct network scans; can that happen to me?
  • I've read the following internet articles: No mas, Samas: What’s in this ransomware’s modus operandi? and FBI and Microsoft Warn of Samas Ransomware.
  • I'm concerned about Samas, SamSam, Kazi, or RDN/Ransomware.
  • Is my Jboss EAP deployment at risk to Ransomware. I would just like to confirm that our Jboss deployment(EAP 6.4.x) does not need to be patched to be secure.

Resolution

Red Hat JBoss Enterprise products releases later than the versions listed below are not affected. Please ensure you're on one of these versions, or a later version:

  • Red Hat JBoss Enterprise Application Platform (EAP) 5.0.1
  • Red Hat JBoss Enterprise Application Platform (EAP) 4.3 CP08
  • Red Hat JBoss Enterprise Application Platform (EAP) 4.2 CP09
  • Red Hat JBoss SOA-Platform (SOA-P) 5.0.1
  • Red Hat JBoss SOA-Platform (SOA-P) 4.3 CP03

JBoss Community Edition, (or after 2014 know as WildFly) releases of the JBoss Application Server prior to version 6.0.0.M3 are potentially vulnerable to this flaw if the default authentication settings are applied. Users of the community JBoss Application Server can secure their JMX Console on vulnerable versions by following the instructions here:

https://community.jboss.org/wiki/SecureTheJmxConsole

 

According to the latest FBI report distributed by Reuters on Monday 28th March 2016 the attack utilizes JexBoss to find vulnerable JBoss systems. These attacks have leveraged out-of-date, and unsecured systems to pivot attacks to other systems on the network.

Red Hat always recommends that system administrators apply the latest patches appropriate for their environments to remediate flaws such as these and others.

Root Cause

Unpatched JBoss servers can become infected with Samas by exploiting the vulnerabilities addressed in CVE-2010-0738. A compromised server will begin scanning and mapping networks the JBoss server is connected to using a tool called reGeorg. The infected server will also use a rootkit called Derusbi to collect login information from network clients. The file payload of the attack is to encrypt user files on available internal computers using RSA-2048 encryption and notifying the end-user with a request for payment.

 

https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Portal/5.1/html/Installation_Guide/Pre_Requisites-Hardware_and_Operating_System_Requirements.html

 

this peoples own fault  if they cant afford  a new O/S they should use free servers like Ubuntu  Debian or CentOS linux it is free version of redhat,

Link to comment
Share on other sites


4 minutes ago, steven36 said:

Is my JBoss / EAP Server Vulnerable to Samas Ransomware?

 

Nice extra info mate..I am sure a lot of people will find it useful..

Link to comment
Share on other sites


34 minutes ago, Reefa said:

 

Nice extra info mate..I am sure a lot of people will find it useful..

Most people who use Linux servers  dont know nothing about Linux  and its scary  you always need to keep it updated .

 

Why dont they just update  too the latest version of Wild Fly? its free  LGPL  This is what they call JBoss now Wildfly

http://wildfly.org/news/2016/01/29/WildFly10-Released/

http://wildfly.org/downloads/

Link to comment
Share on other sites


You are educating me now..I have never used anything other than Windows..:o

Link to comment
Share on other sites


2 minutes ago, Reefa said:

You are educating me now..I have never used anything other than Windows..:o

You know what Java  is right WildFly/Jboss is written in Java, and implements the Java Platform, Enterprise Edition (Java EE) specification. It runs on multiple platforms.

 

WildFly is free and open-source software  while  JBoss Enterprise Application Platform cost money  . They need switch servers over to open source if they can afford  to maintain them before the whole internet blows up lol  :P

Link to comment
Share on other sites


Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...