Dear Visitor,

Our system has found that you are using an ad-blocking browser add-on.

We just wanted to let you know that our site content is, of course, available to you absolutely free of charge.

Our ads are the only way we have to be able to bring you the latest high-quality content, which is written by professional journalists, with the help of editors, graphic designers, and our site production and I.T. staff, as well as many other talented people who work around the clock for this site.

So, we ask you to add this site to your Ad Blocker’s "white list" or to simply disable your Ad Blocker while visiting this site.

Continue on this site freely
  HOME     MENU     SEARCH     NEWSLETTER    
CUSTOMER RELATIONSHIP MANAGEMENT NEWS. UPDATED 3 MINUTES AGO.
You are here: Home / Contact Centers / Unpatched Apps Expose 3M Servers
Over 3 Million Servers at Risk of Ransomware Due to Out-of-Date Apps
Over 3 Million Servers at Risk of Ransomware Due to Out-of-Date Apps
By Jef Cozza / CRM Daily Like this on Facebook Tweet this Link thison Linkedin Link this on Google Plus
PUBLISHED:
APRIL
18
2016
Out-of-date software may not seem like the biggest problem in the world, but a new report from information security researchers find that it may be responsible for putting more than 3 million servers at risk of ransomware attacks. In fact, the researchers found just over 2,100 backdoors installed across nearly 1,600 separate networks belonging to schools, governments, aviation companies, and others.

The threat of ransomware, an attack in which a hacker takes control of a machine and threatens to wipe its data if not paid a ransom, has grown dramatically in recent years. But the practice of targeting servers rather than individual machines appears to be a relatively new development.

A New Threat

The warning comes from Talos, a threat intelligence group owned by Cisco. According to the group, the vulnerabilities they uncovered were the result of backdoors in out-of-date versions of the JBoss enterprise server, a Java-based portfolio of enterprise middleware developed by Red Hat. Talos said it had been investigating the possibility of JBoss vectors following the recent ransomware campaign attacking servers with the Samsam malware package.

“Targeting vulnerabilities in servers to spread ransomware is a new dimension to an already prolific threat,” Talos wrote in a blog post Friday. “As part of this investigation, we scanned for machines that were already compromised and potentially waiting for a ransomware payload. We found just over 2,100 backdoors installed across nearly 1600 IP addresses.”

Some of the compromised servers belonged to schools running Follett's Destiny software, a content management system that keeps track of school library books and other items, Talos said. Follett immediately issued a fix for the vulnerability. The researchers said it was "imperative" that all Destiny users install the patch.

As a result of its investigation, Talos said it found a number of webshells on compromised servers. Webshells act as control panels for servers, but they can also be used by malicious actors to remotely control systems. The group said it found that compromised servers running JBoss typically had more than just one webshell installed.

“We've seen several different backdoors including 'mela,' 'shell invoker,' 'jbossinvoker,' 'zecmd,' 'cmd,' 'genesis,' 'sh3ll' and possibly 'Inovkermngrt' and jbot,'" the company wrote on its blog. “This implies that that many of these systems have been compromised several times by different actors.”

The Webshell Threat

Talos said that webshells are a major security concern since they can indicate that an attacker has already compromised a server and can control it remotely. As a result, a compromised Web server could be used to pivot and move laterally within an internal network.

The group recommended that enterprises take down any servers that have been compromised immediately, as they could be misused in a number of ways. Servers hosing JBoss, for example, were heavily involved in the recent Samsam attacks, Talos said. Admins who discover webshells on their servers should first remove external access to the servers to prevent hackers from accessing the compromised machines remotely.

Ideally, enterprises should also re-image compromised systems and install updated versions of all software to deny hackers future access, according to Talos. Barring that, the group recommended restoring from a backup prior to the compromise, followed by an upgrade of the servers to non-vulnerable versions before returning them to production.

Image credit: iStock.

Tell Us What You Think
Comment:

Name:

Like Us on FacebookFollow Us on Twitter
MORE IN CONTACT CENTERS
CRM DAILY
NEWSFACTOR NETWORK SITES
NEWSFACTOR SERVICES
© Copyright 2017 NewsFactor Network. All rights reserved. Member of Accuserve Ad Network.