Reefa Posted April 17, 2016 Share Posted April 17, 2016 More than 3 million Internet-accessible servers are at risk of being infected with crypto ransomware because they're running vulnerable software, including out-of-date versions of Red Hat's JBoss enterprise application, researchers from Cisco Systems said Friday. About 2,100 of those servers have already been compromised by webshells that give attackers persistent control over the machines, making it possible for them to be infected at any time, the Cisco researchers reported in a blog post. The compromised servers are connected to about 1,600 different IP addresses belonging to schools, governments, aviation companies, and other types of organizations. Some of the compromised servers belonged to school districts that were running the Destiny management system that many school libraries use to keep track of books and other assets. Cisco representatives notified officials at Destiny developer Follett Learning of the compromise, and the Follett officials said they fixed a security vulnerability in the program. Follett also told Cisco the updated Destiny software also scans computers for signs of infection and removes any identified backdoors. As Ars reported last week, attackers pushing crypto ransomware recently escalated their assaults by exploiting vulnerabilities in unpatched versions of JBoss. At the time, Cisco researchers identified about 2 million vulnerable servers. Friday's blog post warning of 3 million susceptible servers suggests the risk has yet to be contained. It's also an indication the threat may get worse still, as vulnerabilities in additional server software are identified. "If you find that a webshell has been installed on a server, there are several steps that need to be taken," Cisco researchers wrote in Friday's post. "Our first recommendation, if at all possible, is to remove external access to the server. This will prevent the adversaries from accessing the server remotely. Ideally, you would also re-image the system and install updated versions of the software." If rebuilding from scratch isn't feasible, the next best option is to restore the system from a backup made before it was compromised and install all available updates before returning the server to production. source Link to comment Share on other sites More sharing options...
steven36 Posted April 17, 2016 Share Posted April 17, 2016 What strain ? Only known strain on Linux was Linux.Encode.1 and it was easy to crack . Other than that it's mostly a windows problem. It has to exist in order for it to be a outbreak . http://www.zdnet.com/article/crypto-ransomware-strikes-linux-but-attackers-botch-private-key/ EPIC Fail — For the Third Time, Linux Ransomware CRACKED! http://thehackernews.com/2016/01/linux-ransomware-decryption.html The people who made Linux.Encode.1 are noobs most likey malware writers for windows they tried 3 times and failed Link to comment Share on other sites More sharing options...
steven36 Posted April 17, 2016 Share Posted April 17, 2016 Figured out what strain No mas, Samas https://blogs.technet.microsoft.com/mmpc/2016/03/17/no-mas-samas-whats-in-this-ransomwares-modus-operandi/ Is my JBoss / EAP Server Vulnerable to Samas Ransomware? Quote Solution Verified - Updated Tuesday at 11:39 AM - English Environment Red Hat JBoss Enterprise Application Platform 5.x Red Hat JBoss Enterprise Application Platform 4.3.x Red Hat JBoss Enterprise Application Platform 4.2.x Red Hat JBoss SOA Platform (SOA-P) 5.x Red Hat JBoss SOA Platform (SOA-P) 4.3.x Issue I've read warnings about the Samas ransomware and want to know if I'm vulnerable? The Samas ransomware reportedly uses JBoss servers to conduct network scans; can that happen to me? I've read the following internet articles: No mas, Samas: What’s in this ransomware’s modus operandi? and FBI and Microsoft Warn of Samas Ransomware. I'm concerned about Samas, SamSam, Kazi, or RDN/Ransomware. Is my Jboss EAP deployment at risk to Ransomware. I would just like to confirm that our Jboss deployment(EAP 6.4.x) does not need to be patched to be secure. Resolution Red Hat JBoss Enterprise products releases later than the versions listed below are not affected. Please ensure you're on one of these versions, or a later version: Red Hat JBoss Enterprise Application Platform (EAP) 5.0.1 Red Hat JBoss Enterprise Application Platform (EAP) 4.3 CP08 Red Hat JBoss Enterprise Application Platform (EAP) 4.2 CP09 Red Hat JBoss SOA-Platform (SOA-P) 5.0.1 Red Hat JBoss SOA-Platform (SOA-P) 4.3 CP03 JBoss Community Edition, (or after 2014 know as WildFly) releases of the JBoss Application Server prior to version 6.0.0.M3 are potentially vulnerable to this flaw if the default authentication settings are applied. Users of the community JBoss Application Server can secure their JMX Console on vulnerable versions by following the instructions here: https://community.jboss.org/wiki/SecureTheJmxConsole According to the latest FBI report distributed by Reuters on Monday 28th March 2016 the attack utilizes JexBoss to find vulnerable JBoss systems. These attacks have leveraged out-of-date, and unsecured systems to pivot attacks to other systems on the network. Red Hat always recommends that system administrators apply the latest patches appropriate for their environments to remediate flaws such as these and others. Root Cause Unpatched JBoss servers can become infected with Samas by exploiting the vulnerabilities addressed in CVE-2010-0738. A compromised server will begin scanning and mapping networks the JBoss server is connected to using a tool called reGeorg. The infected server will also use a rootkit called Derusbi to collect login information from network clients. The file payload of the attack is to encrypt user files on available internal computers using RSA-2048 encryption and notifying the end-user with a request for payment. https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Portal/5.1/html/Installation_Guide/Pre_Requisites-Hardware_and_Operating_System_Requirements.html this peoples own fault if they cant afford a new O/S they should use free servers like Ubuntu Debian or CentOS linux it is free version of redhat, Link to comment Share on other sites More sharing options...
Reefa Posted April 17, 2016 Author Share Posted April 17, 2016 4 minutes ago, steven36 said: Is my JBoss / EAP Server Vulnerable to Samas Ransomware? Nice extra info mate..I am sure a lot of people will find it useful.. Link to comment Share on other sites More sharing options...
steven36 Posted April 17, 2016 Share Posted April 17, 2016 34 minutes ago, Reefa said: Nice extra info mate..I am sure a lot of people will find it useful.. Most people who use Linux servers dont know nothing about Linux and its scary you always need to keep it updated . Why dont they just update too the latest version of Wild Fly? its free LGPL This is what they call JBoss now Wildfly http://wildfly.org/news/2016/01/29/WildFly10-Released/ http://wildfly.org/downloads/ Link to comment Share on other sites More sharing options...
Reefa Posted April 17, 2016 Author Share Posted April 17, 2016 You are educating me now..I have never used anything other than Windows.. Link to comment Share on other sites More sharing options...
steven36 Posted April 17, 2016 Share Posted April 17, 2016 2 minutes ago, Reefa said: You are educating me now..I have never used anything other than Windows.. You know what Java is right WildFly/Jboss is written in Java, and implements the Java Platform, Enterprise Edition (Java EE) specification. It runs on multiple platforms. WildFly is free and open-source software while JBoss Enterprise Application Platform cost money . They need switch servers over to open source if they can afford to maintain them before the whole internet blows up lol Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.