Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

JBOSS Backdoor opens 3 million servers at risk of attacks

Experts at Cisco Systems discovered more than 3 million vulnerable servers exposed on the Internet while scanning for the presence of JBOSS Backdoor According to Cisco Systems, more than 3 million servers exposed on the Internet are potentially open to Samsam ransomware-based attacks because they’re running vulnerable software. Attackers are targeting vulnerabilities in servers to […]

JBOSS Backdoor opens 3 million servers at risk of attacks

Experts at Cisco Systems discovered more than 3 million vulnerable servers exposed on the Internet while scanning for the presence of JBOSS Backdoor

According to Cisco Systems, more than 3 million servers exposed on the Internet are potentially open to Samsam ransomware-based attacks because they’re running vulnerable software.

Attackers are targeting vulnerabilities in servers to spread ransomware, the experts from the Cisco IR Services Team discovered that hackers were using the JBoss as a vector for the infections.

“we began looking deeper into the JBoss vectors that were used as the initial point of compromise. Initially, we started scanning the internet for vulnerable machines. This led us to approximately 3.2 million at-risk machines.” wrote the Cisco researchers in a blog post.

The experts started their investigation by scanning for machines that were already compromised.

The web scanning activity allowed the researchers to discover about 2,100 compromised servers belonging to schools, governments, aviation companies, and other types of organizations. The hackers installed webshells to maintain the control over the infected systems.

Several of the compromised systems were running the Follett “Destiny” software, a management system commonly used by many school libraries to keep track of books.

jboss logo

Cisco reported the issue to the Follett Learning that develops the software and the company solved the vulnerability. The updated Destiny software is able to scan machines for signs of infection and removes any backdoors that was installed by attackers.

Experts at CISCO provided a series of recommendations to remove webshell from compromised servers.

“Our first recommendation, if at all possible, is to remove external access to the server. This will prevent the adversaries from accessing the server remotely. Ideally, you would also re-image the system and install updated versions of the software. This is the best way to ensure that the adversaries won’t be able to access the server.” states the blog post published by CISCO. “If for some reason you are unable to rebuild completely, the next best option would be to restore from a backup prior to the compromise and then upgrade the server to a non-vulnerable version before returning it to production.”

Give a look to the post, it also includes some indicators that are associated with the presence of various webshells.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – JBoss, hacking)