Out-of-date apps put 3 million servers at risk of crypto ransomware infections
on
Get link
Facebook
X
Pinterest
Email
Other Apps
By Dan Goodin
More than 3 million Internet-accessible servers are at risk
of being infected with crypto ransomware because they're running
vulnerable software, including out-of-date versions of Red Hat's JBoss enterprise application, researchers from Cisco Systems said Friday.
About 2,100 of those servers have already been compromised
by webshells that give attackers persistent control over the machines,
making it possible for them to be infected at any time, the Cisco
researchers reported in a blog post.
The compromised servers are connected to about 1,600 different IP
addresses belonging to schools, governments, aviation companies, and
other types of organizations.
Some of the compromised servers belonged to school districts that were running the Destiny management system
that many school libraries use to keep track of books and other assets.
Cisco representatives notified officials at Destiny developer Follett
Learning of the compromise, and the Follett officials said they fixed a
security vulnerability in the program. Follett also told Cisco the
updated Destiny software also scans computers for signs of infection and
removes any identified backdoors.
As Ars reported last week, attackers pushing crypto ransomware recently escalated their assaults by exploiting vulnerabilities in unpatched versions of JBoss.
At the time, Cisco researchers identified about 2 million vulnerable
servers. Friday's blog post warning of 3 million susceptible servers
suggests the risk has yet to be contained. It's also an indication the
threat may get worse still, as vulnerabilities in additional server
software are identified.
"If you find that a webshell has been installed on a server,
there are several steps that need to be taken," Cisco researchers wrote
in Friday's post. "Our first recommendation, if at all possible, is to
remove external access to the server. This will prevent the adversaries
from accessing the server remotely. Ideally, you would also re-image the
system and install updated versions of the software." If rebuilding
from scratch isn't feasible, the next best option is to restore the
system from a backup made before it was compromised and install all
available updates before returning the server to production.
Comments
Post a Comment