Schools put on high alert for JBoss ransomware exploit

More than 2,000 machines are ready to be infected, Cisco says

ransomware hardware security embedded circuit board integrated controller
Credit: IDGNS

More than 2,000 machines at schools and other organizations have been infected with a backdoor in unpatched versions of JBoss that could be used at any moment to install ransomware such as Samsam.

That's according to Cisco's Talos threat-intelligence organization, which on Friday announced that roughly 3.2 million machines worldwide are at risk.

Many of those already infected run Follett's Destiny library-management software, which is used by K-12 schools worldwide.

"Follett identified the issue and immediately took actions to address and close the vulnerability," the company told Cisco.

Follett provides patches for systems running version 9.0 to 13.5 of its software and says it will help remove any backdoors. Its technical support staff will reach out to customers found to have suspicious files on their systems.

Governments and aviation companies are also among the organizations affected, Cisco said.

Compromised JBoss servers typically contain more than one Web shell, Talos advised, so it's important to review the contents of a server's jobs status page. "This implies that many of these systems have been compromised several times by different actors," the company said.

Web shells are scripts that indicate an attacker has already compromised a server and can remotely control it. The list of those associated with this exploit are listed in Talos's blog post.

Companies that find a Web shell installed should begin by removing external access to the server, Talos said.

"Ideally, you would also re-image the system and install updated versions of the software," it said. "If for some reason you are unable to rebuild completely, the next best option would be to restore from a backup prior to the compromise and then upgrade the server to a non-vulnerable version before returning it to production."

Ransomware has typically been spread through drive-by downloads or spam emails with malicious attachments, asking victims to pay a ransom in bitcoin. One of the latest victims of Samsam was MedStar Health, a not-for-profit organization that runs 10 hospitals in the Washington, D.C., area.

ITWorld DealPost: The best in tech deals and discounts.