A large scale ransomware campaign has recently changed the cyber security game when it comes to the delivery of ransomware. By targeting vulnerable servers and using them to spread the ransomware, hackers have discovered a new dimension of vulnerability that could accelerate the damage done by an already prolific threat.
Cybersecurity experts at Cisco Systems have discovered over three million vulnerable servers in their network that could be exploited by online hackers. The discovery was made while performing a routine check for the JBOSS backdoor.
A Cisco Systems spokesperson said that millions of their servers are exposed to Samsam Ransomware based cyber attacks while on the Internet as the result of using the vulnerable software.
Attackers are now targeting these kinds of vulnerabilities in an effort to further spread ransomware. Cisco IR Services team members have found that hackers have been spreading the infectious code by using the JBOSS as a vector.
Cisco researchers covered the incident in a recent blog entry explaining that they started searching more deeply into JBOSS vectors, which were being exploited for their ability to help hackers compromise Cisco’s systems, whereupon they found that they had 3.2 million machines at risk of attack. The investigators began by scanning the computers that they suspected were already compromised and found the situation was much worse than they had originally anticipated.
The scan gave the technicians the chance to discover that as many as 2,100 other affiliated machines belonging to government agencies, schools, aviation companies, and more were also compromised.
A number of the infected systems were executing Follett “Destiny” software, which is a management system often used by school libraries to track the locations and status of their books.
Cisco Systems alerted the maker of the Destiny software, Follett Learning, to the danger and the company was able to repair the vulnerability. The resulting updates enabled Destiny software to check other machines for signs of malware, and also to remove any threats it finds installed by hackers.
The IT security professionals at Cisco provided a number of recommendations involving the removal of webshell from all compromised servers- issuing the following statement;
“Our advice is if at all possible, to remove all external access to your servers. This will forbid the attackers from entering the server remotely. Ideally, you should reimage your systems and install the new updated software. That is the best way to be sure that the cyberattackers will not be able to access your servers.”
The company followed with this statement in a blog post by Cisco Systems;
“If you are unable to complete a 100 percent rebuild, the next best alternative is to restore your system using a prior backup state that predates the compromise. From there, you should upgrade the server to a version that is not vulnerable before returning it to mainline use.”
Advanced attacks like these do a lot of damage and set the whole cyber security community on its ear. Even worse, a sensational attack like this almost always tips off eager hackers to repeat the attack, which can lead to a massive situation in the short term.
In the long term, however, this is what cybersecurity and cryptography people get paid for and the challenge keeps us sharp. You can be sure, that in the coming weeks, we will be dissecting this problem to learn everything we can from it- and the result will be tighter security as an industry standard.