As many as 3.2 million computers running unpatched versions of the JBoss middleware software may be vulnerable...
to being used as vectors to distribute SamSam and other ransomware, reinforcing the ongoing problem of unpatched systems for enterprises. While scanning for machines with the JBoss vulnerability that had already been compromised, Cisco Talos discovered over 2,100 backdoors installed on systems connected to nearly 1,600 IP addresses.
Talos reported last week that the unpatched versions of JBoss were being exploited by the presence of one or more webshells, which are scripts that can be uploaded to a Web server and which, when executed, enable remote administration of the server. The report is just the latest highlighting the need for organizations to be vigilant about patching production software.
"In this process we've learned that there is normally more than one webshell on compromised JBoss servers," Talos threat researcher Alexander Chiu wrote. "We've seen several different backdoors including 'mela,' 'shellinvoker,' 'jbossinvoker,' 'zecmd,' 'cmd,' 'genesis,' 'sh3ll' and possibly 'Inovkermngrt' and 'jbot.' This implies that many of these systems have been compromised several times by different actors."
Among the affected organizations were schools, governments and aviation companies, as well as others, though several of the infected systems were running Follett Destiny, a management system designed to keep track of school library assets and used in K-12 schools globally. Follett had identified the problem and released a fix that patched the JBoss vulnerability, and was also working with Talos to analyze the webshells being used by attackers.
"Webshells are a major security concern as it indicates an attacker has already compromised this server and can remotely control it," Chiu wrote." As a result, a compromised web server could be used to pivot and move laterally within an internal network."
Talos recommended that compromised systems be taken down as soon as possible, starting by removing access to external networks to prevent attackers from accessing the system, followed by either re-imaging the system or restoring it from backup made prior to the infection and then upgrading the software to a non-vulnerable version before it is put back into production use.
Derek Soedersecurity researcher, Cylance
Most important, according to Talos, is making sure software patches are kept up to date. "Attackers aren't ashamed to exploit old systems -- it's pragmatism over fashion for bad guys turning access into cash," said Derek Soeder, security researcher at Cylance. "Particularly for indiscriminate attackers, even a small population of vulnerable systems exposed on the Internet is a worthwhile pool of potential victims."
According to Sean Wilson, researcher at PhishMe, a threat management firm based in Leesburg, Va., Web frameworks are particularly vulnerable.
"We have seen attacks using webshells for quite some time now, often targeting Web frameworks such as WordPress and Joomla as these are widely deployed and managed by individual users," Wilson said. "They have mature plug-in ecosystems allowing a deployment to include the base framework, which may not be vulnerable, but several out-of-date plug ins which contain vulnerabilities allowing for exploitation."
JexBoss webshell tool and the old JBoss vulnerability
The webshell found in the exploited servers is JexBoss, an open source tool used for testing and exploiting vulnerabilities in JBoss Application Server. JexBoss is available on GitHub, and has legitimate uses for penetration testing and auditing. Talos reported last month that JexBoss was being used to spread SamSam ransomware variants. Unlike more traditional ransomware attacks, which are distributed through phishing or exploit kits, SamSam gains a foothold on servers and then spreads laterally through the victim network.
Experts agreed that the large number of vulnerable systems highlights the need to be consistent in regularly patching installed software.
"These patches were released years ago, but IT pros and individuals have been notorious for not applying security fixes," said Norman Guadagno, chief evangelist at Carbonite, a data protection company based in Boston. "In this case, hackers identified an opportunity in educational IT systems, but as we've seen, it's industry-agnostic. This is yet another reminder of why IT administrators need to revisit their security postures and policies."
Dealing with the patches
"Patch management and keeping systems current isn't easy. There is a complex set of interdependencies among systems and applications, and this can make decisions to update difficult," said Jack Danahy, CTO at endpoint security startup Barkly Protects Inc., based in Boston. The JBoss vulnerability made the exploits against the schools possible, but the application that needed to be updated was the Follett's Destiny library management system. If systems administrators were not aware of the Destiny dependence on JBoss, the existence of the JBoss vulnerability "would not have triggered any urgency in updating their library management system."
Patching may be key, but it is not always easy for organizations with limited resources. "Resource-poor organizations must factor in some future patching effort when planning project costs," said Yishai Beeri, director of cybersecurity research at CASB and cybersecurity as a service provider CloudLock, based in Waltham, Mass. "Even a periodic patching 'sweep,' while not as tight as a continuous effort, can mitigate many of the long-lived exploits such as this one. At the very least, patching public facing systems should be made a priority."
"The population of vulnerable systems over time tends to have a long tail," Soeder said. "Sometimes it's due to negligence, but often organizations just don't know everything they're running, whether because of a lapse of process or because the vulnerable software is embedded inside another product." Soeder explained that there are many other reasons software goes unpatched, including that the system administrators don't realize that the software they're running is vulnerable or because they aren't getting updates from vendors.
In some cases, the admins don't have the resources to apply the patch, or they attempted to apply the fixes but for some reason the patches didn't take effect; "sometimes this is as simple as forgetting to reboot after patching," Soeder said. "Attackers are opportunists, and any of these failures is an opportunity."
Which unpatched, unsupported framework or platform is next?
"In many ways, this appears to be a typical ransomware offense," Guadagno said. "These attackers are not reinventing the wheel; they are just preying on known vulnerabilities and doing it cheaply."
Attackers are likely to continue to target servers running unpatched frameworks with vulnerable plug ins, according to Wilson: "Although we may see ransomware spreading to some of these services, we'll likely continue to see them used as relays or endpoints to drop malicious payloads. Company portals or other enterprise endpoints are a much better target for server side ransomware as the impact is much greater than a personal user's blog. Combine this with an existing working exploit makes targeting these that much more profitable for actors."
"There are hundreds of widely used frameworks with exploitable vulnerabilities that have not been universally updated yet [such as] OpenSSL, Tomcat, Java," said Kymberlee Price, senior director of researcher operations at Bugcrowd, a security testing vendor based in San Francisco. "Each of these libraries and hundreds more may be used in multiple unique applications within a network, requiring IT staff to patch the same underlying vulnerability repeatedly."
"Systems that are not properly structured or maintained are generally the most at risk," Guadagno said. "The most obvious platform at risk right now is Windows XP. It is no longer supported, but is still in use by an estimated 250 million. Additionally, Microsoft Server 2003 is nearing end of life. These will likely become prime targets for ransomware actors."
What can be done to prevent further vulnerabilities?
"Pay me now or pay me later, if you don't invest in defending your environment and data to begin with, it will inevitably cost you later," Price said. "For developers that use third-party libraries, implementing a code scanning tool like BlackDuck can help you keep on top of your library security."
Price also recommended combining results from code scanning with a threat intelligence feed to fix the highest risk issues first; automation can also help leverage staff efficiency. Scanning for software that needs to be updated with advanced network monitoring applications, implementing network access control and intrusion detection solutions, and using antivirus and malware removal applications on individual systems can all help, according to Price.
"Look for a local OWASP chapter to join, meet people with security knowledge, listen, learn," Soeder said. "There are lots of security practitioners who are resource-strapped and consequently become very resourceful."
"If you can't find any security advisories for a product, be wary," Soeder said, as it might mean that "either no one's tested the product's security, or the vendor has an immature or nonexistent security process. They should have a well-defined process for notifying their customers of security issues, and they should provide security patches -- for free -- even after mainstream support ends. If possible, switching to cloud-based systems where security is handled by the provider takes a lot of burden off of an organization."
"Patch management is no longer simply about installing operating system updates on Tuesdays," Danahy said. "The exposed and vulnerable surface of organizations has expanded to include hundreds of packages. As IT organizations look to add new capabilities and products, they need to consider updates and patches for that new addition in the budgeting and planning for the future."
"Prevention is the best medicine," said Brett Hansen, Dell's executive director of end-user computing. While organizations can do a lot with an in-house IT generalist or limited budget, to maximize their resources, organizations need to prioritize security. "Every organization needs to prioritize software maintenance as well as the deployment of patches in order to reduce the areas of vulnerability in the IT infrastructure. Ensuring these are up to date will help organizations of all sizes minimize their risk profile from the outset."
Finally, Hansen said: "It is important to back up data offsite so that if you are attacked by ransomware, you can move on from it. Your data isn't lost forever."
"Time and time again -- first demonstrated in the series of attacks on hospitals -- we're seeing hackers target large organizations that rely on computer systems to perform critical business functions," Guadagno said. "Backup was once perceived to be a nice-to-have. It's now a must-have."
Find out more about best practices for patch management.
Learn about how Microsoft PowerShell is used to enable ransomware attacks.
Read about how an old Java vulnerability went unpatched by Oracle for 30 months.