Slashdot Mirror
Out-of-Date Apps Put 3 Million Servers At Risk of Crypto Ransomware Infections (arstechnica.com)
An anonymous reader cites an article on Ars Technica: More than 3 million Internet-accessible servers are at risk of being infected with crypto ransomware because they're running vulnerable software, including out-of-date versions of Red Hat's JBoss enterprise application, researchers from Cisco Systems said Friday. About 2,100 of those servers have already been compromised by webshells that give attackers persistent control over the machines, making it possible for them to be infected at any time, the Cisco researchers reported in a blog post. The compromised servers are connected to about 1,600 different IP addresses belonging to schools, governments, aviation companies, and other types of organizations. Some of the compromised servers belonged to school districts that were running the Destiny management system that many school libraries use to keep track of books and other assets. Cisco representatives notified officials at Destiny developer Follett Learning of the compromise, and the Follett officials said they fixed a security vulnerability in the program. Follett also told Cisco the updated Destiny software also scans computers for signs of infection and removes any identified backdoors.
because they're running vulnerable software, including out-of-date versions of Red Hat's JBoss enterprise application
...and...
hat were running the Destiny management system that many school libraries use to keep track of books and other assets
So is this a JBoss issue? A Destiny Management System issue? What is the vector? The summary is unclear on exactly what the issue is...
If you want news from today, you have to come back tomorrow.
There was an earlier Slashdot post about how Apple wants people to buy new devices and software on a regular basis, but the most popular comments were about how old software is the best, and that there's never a reason to update it, so long as the software is doing what you got it for in the first place. Now there's this article in which the solution to the problem is to update the software. Oh, what am I supposed to think?!
If I were to gain access to a machine like this and install a persistent web shell, I would then patch the underlying vulnerability in order to maintain control. Otherwise, the next guy to come along and exploit the defect can just kick me out. What fun is that?
Wait, we're saying "apps" to describe non-mobile software now? Is that what we're doing? Could we avoid that if I asked politely?
It looks like an RMI / Apache Commons thing.
A bunch of popular Java application servers like JBoss, WebLogic, WebSphere or applications like Jenkins use RMI or at least similar (de)serialization of Java objects for a variety of things like e.g. remote management. They also seem to be rather trusting of the clients and serialized objects they receive and deserialize on the server side.
Now, if I remember correctly, you can only deserialize classes on your CLASSPATH, so you usually can't just send a serialized instance of net.some.exploit.MyEvilAndUnsafeToDeserializeObject.class and expect it to work on servers because they usually won't have your net.some.exploit.MyEvilAndUnsafeToDeserializeObject.class on their classpath
So someone looked for popular Java libraries which do some unsafe serialization/deserialization stuff and are used by lots of server software and found that the Apache Commons Collections library contains some dangerous deserialization code and is used by a lot of software - like JBoss and the others mentioned.
So if a server does RMI or RMI-like services and uses that library, you can basically get a remote shell on that server by sending some evil RMI to whatever port/servlet/service on that server accepts RMI or some other (proprietary) protocol which uses serialized Java objects somewhere.