A RUSTY OLD collection of apps is putting three million servers at risk of ransomware thanks to vulnerabilities and a weakness for Samsam.
Cisco Systems' Talos security unit reckons that this could cause of a lot of people a lot of trouble. There is game-changing stuff in JBoss vectors and a headline infection rate of 3.2 million, which should be enough to get anyone off their seat.
"Recently a large-scale ransomware campaign delivering Samsam changed the threat landscape for ransomware delivery. Targeting vulnerabilities in servers to spread ransomware is a new dimension to an already prolific threat," said Cisco in a blog post.
"We began looking deeper into the JBoss vectors that were used as the initial point of compromise. Initially, we started scanning the internet for vulnerable machines. This led us to approximately 3.2 million at-risk machines."
Cisco kept coming up with bad news. The firm scanned already compromised machines and found 2,100 backdoors installed across some 1,600 IP addresses.
"Over the last few days, Talos has been in the process of notifying affected parties including schools, governments and aviation companies," said Cisco, adding that many of the affected systems were installed with software called Destiny by a firm called Follett Software.
Cisco spoke to Follett, which said that it had already developed a patch for the bug. A short version of an email sent us said that the firm was doing just fine without Cisco, which Cisco had suggested already.
"We contacted Follett, who described an impressive patching system that not only patches all systems from version 9.0-13.5, but captured any non-Destiny files that were present on the system to help remove any existing backdoors. Destiny is a library management system designed to track school library assets, and is primarily used in K-12 schools across the globe," said Cisco.
"Follett technical support will then contact customers who are found to have suspicious files on their system. It is imperative, given the wide reach of this threat, that all Destiny users take advantage of this patch."
Follett said in a statement: "Based on our internal systems security monitoring and protocol, Follett identified the issue and immediately took actions to address and close the vulnerability on behalf of our customers.
"Follett takes data security very seriously and, as a result, we are continuously monitoring our systems and software for threats, and enhancing our technology environment with the goal of minimising risks for the institutions we serve."
The two firms will work together to protect customers and warn them about other, equally appalling incidents of compromised web shells.
"Our first recommendation, if at all possible, is to remove external access to the server. This will prevent adversaries accessing the server remotely," added Cisco.
"Ideally, you would also re-image the system and install updated versions of the software. This is the best way to ensure that the adversaries won't be able to access the server.
"If for some reason you are unable to rebuild completely, the next best option would be to restore from a backup prior to the compromise and then upgrade the server to a non-vulnerable version before returning it to production. As always, running reputable antivirus software is recommended."
To hear more about security challenges, the threats they pose and how to combat them, sign up for The INQUIRER sister site Computing's Enterprise Security and Risk Management conference, taking place on 24 November.
'Some of us like the misery'
That'll surely affect its credit score