Tuesday, 10 May 2016

On 03:51 by admin   No comments
Currently as many as 3.2 million computers running unpatched versions of the JBoss middleware software, which means that the computer can easily be used to spread SamSam extortion and other software, it also highlights the risk of unpatched systems long-standing problem. After scanning contains JBoss vulnerability infected machines, Cisco Talos found more than 2100 backdoor is installed on the system associated with nearly 1600 IP address.
Talos reported unpatched JBoss being one or more webshell use, webshell is uploaded to the Web server and the server for remote administration scripts. The report shows that companies need to produce software to repair very vigilant.
"In the process, we learned that the affected JBoss servers usually have more than one webshell," Talos threat researcher Alexander Chiu wrote, "We see a lot of different backdoor programs, including 'mela', 'shellinvoker' , 'jbossinvoker', 'zecmd', 'cmd', 'genesis', 'sh3ll' and 'Inovkermngrt' and 'jbot'. this means that many of these systems have been attacked several times by different attackers. "
Of the affected companies, including schools, government and aviation companies, and some affected systems running Follett Destiny (which is to track school library asset management systems, it is used worldwide in K-12 schools). Follett has identified the problem and released JBoss vulnerability fixes, and further cooperation with Talos to analyze webshell used by attackers.
"Webshell is a major security problem, because it shows that the attacker already attacked the server and remotely control it," Chiu wrote, "and the affected Web server could be exploited by attackers to move laterally in the internal network . "
Talos recommends that companies fix the affected devices as soon as possible, you should first remove access to external networks to prevent an attacker access to the system, and then re-mirror the system or restore from a backup, and then upgrade the software version, then re-applied to the production processes.
According Talos said that the most important thing is to ensure that software patches up to date. "Attacker in the choice of target and does not rule out the old system, because it can help them make money," Cylance company security researcher Derek Soeder said, "especially for indiscriminate attackers, even if only vulnerable systems small portion exposed to the Internet, but also worthy of their attack. "
According threat management company PhishMe researchers Sean Wilson expressed, Web frameworks are particularly vulnerable to attack.
"We have seen attackers use webshell a long period of time, usually targeting Web frameworks like WordPress and Joomla, as these have been widely deployed and used individual users," Wilson said, "they have a mature ecosystem of plug-ins, you can include the basic framework for deployment, perhaps less vulnerable, but a plurality of outdated plug-ins may contain exploitable vulnerabilities. "

JexBoss webshell tools and old JBoss vulnerability

The affected server is found webshell JexBoss, which is an open source tool for testing and use JBoss application server vulnerabilities. JexBoss can be found on GitHub, and having a legitimate penetration testing and auditing purposes. Talos reported, JexBoss be used to spread SamSam ransomware variants.Traditional ransomware attack to spread through the use of phishing toolkits or vulnerability, while SamSam is to gain a foothold on the server, and then spread laterally in the victim network.
JBoss by Red Hat Software released middleware, JBoss vulnerabilities are found and fixed in 2010, was named CVE-2010-0738. Talos reports that this vulnerability is still being used to spread SamSam ransomware.
Experts agree that a large number of vulnerable systems that companies need to periodically repair installed software.
"These patches are released many years ago, but IT professionals and individuals often do not have timely installation of security patches," Data protection company Carbonite Chief Evangelist Norman Guadagno said, "In this case, the attackers found the opportunity to attack education IT system but, as we have seen, this is not by industry. this once again reminds us why iT administrators need to re-examine their security status and policy. "

Processing patch problem

Endpoint Security startups Barkly Protect CEO Jack Danahy said: "The patch management and system updates is not easy to maintain the presence of the complex dependencies between systems and applications, which makes replacement decision becomes difficult.." JBoss flaw could allow an attacker to attack the school, but it needs to be updated application is Follett's Destiny library management system. If your system administrator did not realize Destiny rely on JBoss, JBoss vulnerability exists may not make them aware of the urgency to update its library management system.
Here, the repair may be the key, but with limited resources, it is not always easy. "Lack of resources of the enterprise in the planning of the project costs should consider some future repair costs," Yishai Beeri CASB network security research director, said, "Regular repair can alleviate a lot of long-standing exploit, at least, should give priority to repairing the public system . "
"Over time, the number of vulnerable systems will be more and more," Soeder said, "sometimes inadvertently, companies usually do not know all the systems they are running, it may be because there are vulnerable the software is embedded in another product to go. "Soeder explained that the software is not repaired in time, there are many other reasons, including system administrators do not realize they are running the software contains vulnerabilities, or they did not get updates from the vendor.
In some cases, administrators do not have enough resources to deploy patches, fixes, or when they try to patch has not entered into force; "It's like sometimes forget to restart after the repair," Soeder said, "the attacker is opportunistic and these are their chances of negligence. "


Post a comment