Cisco has warned that the SamSam ransomware that has been plaguing US hospitals is now menacing schools, governments, and other organizations that have not kept their JBoss deployments up to date.
According to the networking giant's Talos security team, SamSam exploits a hole in server middleware JBoss to drill its way into computers. The crew estimates there are 3.2 million servers running insecure builds of JBoss on the internet, meaning there are plenty of systems at risk of infection.
And criminals are exploiting the vulnerabilities: the Talos team found 2,100 backdoors on JBoss machines behind 1,600 IP addresses – backdoors that allow miscreants to take control of systems and inject malware.
Patches for the JBoss vulnerability exploited by SamSam were released years ago. However, some IT admins are terrible at applying security fixes, and there are plenty of applications that require older versions of Red Hat's middleware that haven't had the hole plugged, leaving systems at risk.
One such app is Follett Learning's Destiny library management software, which is used in US schools – in other words, a lot of schools are sitting ducks to SamSam due to the presence of out-of-date JBoss deployments. Several of the aforementioned backdoored machines were running JBoss and Follett's Destiny code.
Cisco said Follett Learning's technical team has instituted an "impressive" patching round that should get schools' JBoss installations updated and eventually sort out the problem.
"Based on our internal systems security monitoring and protocol, Follett identified the issue and immediately took actions to address and close the vulnerability on behalf of our customers," Follett said in a statement.
"Follett takes data security very seriously and as a result, we are continuously monitoring our systems and software for threats, and enhancing our technology environment with the goal of minimizing risks for the institutions we serve."
Schools are a logical target for attack by online extortionists. Not only do they store lots of juicy information, but decades of underfunding have left them with poor IT systems that are riddled with holes.
Multiple backdoors have been found, including "mela," "shellinvoker," "jbossinvoker," "zecmd," "cmd," "genesis," "sh3ll" and possibly "Inovkermngrt" and "jbot."
Cisco recommends disconnecting any possible infected servers from networks upon discovery. Then files should then be carefully transferred over to a new system with updated and patched applications.
"Patching is a key component to software maintenance. It is neglected by both users and makers of the software far too often," the Talos team said.
"Failures anywhere along the chain will ensure that this type of attack remains successful. With the addition of ransomware, the potential impacts could be devastating for small and large businesses alike." ®