Slashdot Mirror

← Back to Stories (view on slashdot.org)

Out-of-Date Apps Put 3 Million Servers At Risk of Crypto Ransomware Infections (arstechnica.com)

Posted by msmash on from the patch-it-already dept.

An anonymous reader cites an article on Ars Technica: More than 3 million Internet-accessible servers are at risk of being infected with crypto ransomware because they're running vulnerable software, including out-of-date versions of Red Hat's JBoss enterprise application, researchers from Cisco Systems said Friday. About 2,100 of those servers have already been compromised by webshells that give attackers persistent control over the machines, making it possible for them to be infected at any time, the Cisco researchers reported in a blog post. The compromised servers are connected to about 1,600 different IP addresses belonging to schools, governments, aviation companies, and other types of organizations. Some of the compromised servers belonged to school districts that were running the Destiny management system that many school libraries use to keep track of books and other assets. Cisco representatives notified officials at Destiny developer Follett Learning of the compromise, and the Follett officials said they fixed a security vulnerability in the program. Follett also told Cisco the updated Destiny software also scans computers for signs of infection and removes any identified backdoors.

34 comments

  1. Hmmmmm..... by Frosty+Piss · · Score: 3, Interesting

    because they're running vulnerable software, including out-of-date versions of Red Hat's JBoss enterprise application

    ...and...

    hat were running the Destiny management system that many school libraries use to keep track of books and other assets

    So is this a JBoss issue? A Destiny Management System issue? What is the vector? The summary is unclear on exactly what the issue is...

    --
    If you want news from today, you have to come back tomorrow.
    1. Re:Hmmmmm..... by Anonymous Coward · · Score: 0

      JBoss is an underlying component of Destiny. The vector here is still JBoss.

    2. Re:Hmmmmm..... by Calydor · · Score: 3, Interesting

      The issue seems to be "Unpatched software vulnerable to exploits".

      --
      -=This sig has nothing to do with my comment. Move along now=-
    3. Re:Hmmmmm..... by khz6955 · · Score: 1

      It's against slashdot policy to mention Windows in a post regarding 'computer' malware :)

    4. Re:Hmmmmm..... by Darinbob · · Score: 2

      The article basically says "update when your Internet masters tell you to, you luddite slacker!"

    5. Re:Hmmmmm..... by turbidostato · · Score: 1

      Quite so. Even the front line is misleading: it reads "Out-of-Date Apps Put 3 Million Servers At Risk" when it really should read "buggy apps put 3 million servers at risk". Well, of course, this would put the blame on shoddy software vendors, so it's better to blame the customers.

    6. Re:Hmmmmm..... by KGIII · · Score: 1

      I'm not sure what would make you think that. I realize you're new here so you probably don't know a whole lot but, rest assured, that is not true. On top of that, this article really doesn't have a whole lot to do with Windows. In fact, it specifically mentions that it's applications running on computers that use the Linux kernel (though I suppose there might be a few Windows servers with JBoss installed but I'm not sure if they'd have Destiny - I don't really keep up with Windows much anymore).

      But no... You're new. Stick around and you might see that your opinion is unsubstantiated. Windows has been called out for security issues many, many times. It has even been called out when it was not to blame but rather the fault was the application(s) that were running on it. The various distros are, by no means, completely secure - nor is the kernel itself. There are security issues on a regular basis. Such is life and only a fool relies on an application for their security needs. Security is a process, not an application.

      Stick around, learn a little. We were all new once.

      --
      "So long and thanks for all the fish."
    7. Re: Hmmmmm..... by Anonymous Coward · · Score: 0

      Whooooooshhhhh.
      I think the new guy got you Dave ;)

    8. Re:Hmmmmm..... by khz6955 · · Score: 1

      "I'm not sure what would make you think that."

      Someone on a windows computer clicks on a malicious URL and gets owned.

  2. Only ransomware. by Anonymous Coward · · Score: 0

    At least they are protected against all the other kinds of malware.

  3. How would using Rust have prevented this?! by Anonymous Coward · · Score: 0

    How the heck would using Rust instead have prevented these kinds of incidents from happening? How can we be so sure that Rust is really "secure"? After all, that's what we were all told about Java back in the 1990s! Again and again we were told how the JVM had sandboxing and bytecode verification and stuff like that, and how that would make software written in Java ultra-secure. But if Java can suffer from these kinds of problems, then why shouldn't we expect Rust to suffer from such problems, too?

    1. Re:How would using Rust have prevented this?! by tlambert · · Score: 1

      How the heck would using Rust instead have prevented these kinds of incidents from happening?

      Software that can't successfully accept network connections is hard to remotely exploit.

  4. What's my opinion supposed to be? by jader3rd · · Score: 3, Interesting

    There was an earlier Slashdot post about how Apple wants people to buy new devices and software on a regular basis, but the most popular comments were about how old software is the best, and that there's never a reason to update it, so long as the software is doing what you got it for in the first place. Now there's this article in which the solution to the problem is to update the software. Oh, what am I supposed to think?!

    1. Re:What's my opinion supposed to be? by Espectr0 · · Score: 3, Insightful

      Easy. Offline software can be left as it is, but online software must be updated in order to be secure.

      --
      Open Source Java Web Forum with LDAP authentication
    2. Re:What's my opinion supposed to be? by DNS-and-BIND · · Score: 0

      What an idiotic point of view. "Slashdot" doesn't have an opinion, the people who post do. Security updates are different from updates where features are removed and performance suffers. Or are you not sufficiently intellectually prepared to understand differences like that? VOTE SANDERS 2016!

      --
      Shutting down free speech with violence isn't fighting fascism. It IS fascism!
  5. lol mods by Anonymous Coward · · Score: 0

    I think this is the third submission the past 2 days when manish takes and replaces the links from a submission with ArsTechnica articles. What's the deal? Are you getting paid to promote their crappy articles?

    1. Re:lol mods by Anonymous Coward · · Score: 0

      they've been doing that for a while, they must have some advertising deal with vox media or something

  6. Persistent Web Shell by edtice1559 · · Score: 2

    If I were to gain access to a machine like this and install a persistent web shell, I would then patch the underlying vulnerability in order to maintain control. Otherwise, the next guy to come along and exploit the defect can just kick me out. What fun is that?

  7. But, Containers by Anonymous Coward · · Score: 0

    I put my JBoss in containers on VMs on VPS on Cloudy providers.

    I am invincible!

    1. Re:But, Containers by Anonymous Coward · · Score: 0

      Hey, JBoss is "lightweight" and "enterprise-grade"... wait...

  8. Server apps? by guises · · Score: 3, Insightful

    Wait, we're saying "apps" to describe non-mobile software now? Is that what we're doing? Could we avoid that if I asked politely?

    1. Re:Server apps? by tlhIngan · · Score: 1

      Wait, we're saying "apps" to describe non-mobile software now? Is that what we're doing? Could we avoid that if I asked politely?

      I think server usage predated mobile applications. After all, we have application stacks such as LAMP, web applications, etc. All of which do get abbreviated to app. App stacks, web apps, etc.

    2. Re: Server apps? by Anonymous Coward · · Score: 0

      The abbreviation has been in common use for decades, but marketing has distorted the definition a bit.

  9. stories by Anonymous Coward · · Score: 0

    is there really nothing else happening in the world?

  10. jboss is a vulnerability by Anonymous Coward · · Score: 0

    Very timely, I ran a Qualys scan and it flagged jboss as a vulnerability. Qualys says it's a level 5 threat, highest level, so I told the web team to fix it.
    Unfortunately all the Qualys scan says is that JBoss is out of support and no longer receives security patches.

    The web project manager asked me "so is it just because it's old, or is it a specific vulnerability?"

    I'll be sending him these articles.

  11. RMI/Deserialization vulnerability by henni16 · · Score: 2

    It looks like an RMI / Apache Commons thing.

    A bunch of popular Java application servers like JBoss, WebLogic, WebSphere or applications like Jenkins use RMI or at least similar (de)serialization of Java objects for a variety of things like e.g. remote management. They also seem to be rather trusting of the clients and serialized objects they receive and deserialize on the server side.

    Now, if I remember correctly, you can only deserialize classes on your CLASSPATH, so you usually can't just send a serialized instance of net.some.exploit.MyEvilAndUnsafeToDeserializeObject.class and expect it to work on servers because they usually won't have your net.some.exploit.MyEvilAndUnsafeToDeserializeObject.class on their classpath

    So someone looked for popular Java libraries which do some unsafe serialization/deserialization stuff and are used by lots of server software and found that the Apache Commons Collections library contains some dangerous deserialization code and is used by a lot of software - like JBoss and the others mentioned.

    So if a server does RMI or RMI-like services and uses that library, you can basically get a remote shell on that server by sending some evil RMI to whatever port/servlet/service on that server accepts RMI or some other (proprietary) protocol which uses serialized Java objects somewhere.

    1. Re: RMI/Deserialization vulnerability by Anonymous Coward · · Score: 0

      RMI, CORBA, and related or similar technologies are much too complex for the average web developer. Best stick to REST, JavaScript, and JSON--the land that prior art forgot.

  12. Yea But by Anonymous Coward · · Score: 0

    Timmy Cook is protecting his and your Gay Child Porn stash from the sticky fingers of the FBI.

    Now that says it all.

  13. Server Software != "Apps" by gweihir · · Score: 1

    Apparently, this idiotic term is trying to assimilate things it has absolutely no business describing.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    1. Re: Server Software != "Apps" by Anonymous Coward · · Score: 0

      I convinced our build team to use "apps" as the top-level software installation directory on all distributed platforms. Ostensibly, it clarified and unified opt, usr/local, Program Files, et al for millennial programmers. It was too successful.

  14. good luck finding a job by Anonymous Coward · · Score: 0

    Sounds like that manager will be out of a job aoon and will be having a hard time finding a job as no one will hire him. Though, they may hire him as an intern.

    1. Re: good luck finding a job by Anonymous Coward · · Score: 0

      It appears the manager at Follet was Mirza Baig. Searched LinkedIn. guess he will get a nice red mark on his resume. Poor guy

  15. Are You Not An Apper by Anonymous Coward · · Score: 0

    Today's app technology relies on apping your apps. Proper apping involves server apps, client apps and mobile apps. You've got to appify your app architecture, to leverage apps into the apping future. If you fail to appify your apps while apping then you're not apping correctly and apparently, a luddite.

    Be a good apper, don't be old. Cuz non-apping old people suck! Amirite?

  16. SAMAS/SamSam Ransomeware and JBoss by Anonymous Coward · · Score: 0

    Reported attacks have been on out-of-date and unpatched Jboss Community and older EAP versions. More details here:

    http://developers.redhat.com/blog/2016/04/19/security-update-samassamsam-ransomeware-and-jboss/