In-brief: Researchers at Cisco Systems said that they had identified more than 3 million “at risk” application servers running a vulnerable component that has been linked to ransomware infections. More than 1,600 of those systems have already been compromised, including many school libraries.
Updated to add comment from Follett Corp. PFR 4/18/2016
Organizations across the economy, including schools and medical facilities are being warned that a widespread flaw in technology known as JBOSS could leave them vulnerable to ransomware attacks.
On Friday, researchers working for Cisco Systems said that they identified 3.2 million at-risk machines that are vulnerable to compromise using the JBOSS vulnerabilities. Among that population, Cisco said it found 1,600 that had already been compromised and had malicious software installed on them or other “back doors” created that would give hackers access to the system. Among the most vulnerable organizations: schools that run a Library Management System software package known as “Destiny” by the firm Follett Corp.
Destiny is a Library Management System that is designed to track school library assets like books. It is used in K-12 schools. Cisco said it had contacted Follett and was working with the firm on resolving issues with existing customers. However, it said a review of the 1,600 compromised systems suggests that they may have been accessed by multiple, malicious actors. Cisco said the two companies were working together to assist affected customers.
[Read more Security Ledger coverage of ransomware here.]
A call seeking comment from Follett was not responded to prior to publication. In a phone interview, George Gatsis, Senior Vice President of Technology Platforms at Follett said the company issued a patch for the Destiny platform in early April and has been encouraging its customers to apply it, while automatically applying it for all of its hosted application customers. Currently, around 60% of the estimated 6,000 to 8,000 school districts that use the Destiny platform have updated their software to address the JBOSS vulnerability. Around 10% of those were found to have unknown and possibly malicious files on their systems, and Follett is working with Cisco Systems and those customers to assess whether they have been breached.
Gatsis said he was unaware of any Follett customer who had been the victim of a ransomware attack as a result of the vulnerability in the Destiny platform.
JBOSS is a kind of application “middleware” that is sold and maintained by the commercial linux firm Red Hat. It allows third party application development firms to build and integrate software applications.
In recent months, vulnerabilities in JBOSS have been linked to infections of a form of ransomware known as “SamSam” or “Samas.” While most ransomware infections follow attacks on users like phishing email or web-based attacks, SamSam spreads by attacks focused on vulnerable application servers, “using them as a foothold to move laterally through the network to compromise additional machines which are then held for ransom,” Cisco wrote in April.
Attackers have been using Web shells and JexBoss, an open source tool developed specifically to test (and exploit) JBoss application servers, with hospitals and other healthcare facilities prominent targets.