Over 3 million Internet-accessible servers, including those used in school libraries, are vulnerable to a new strain of ransomware that encrypts data on servers until a fee, usually in bitcoin, is paid, according to a Talso blog from Cisco.
On Friday, researchers reported several new JBoss vectors identified with the spread of the SamSam malware previously used to target hospitals. From the 3.2 million servers identified running JBoss, they found just over 2,100 backdoors installed across nearly 1600 IP addresses. These include systems used by schools, governments, aviation companies, and more.
Many of the vulnerable systems were running the Follet “Destiny” software, a Library Management System designed to track school library assets. Destiny is primarily used in K-12 school libraries across the globe. Follett immediately patched their system from version 9.0-13.5, and also managed to capture any non-Follet files on the server.
Follet issued a statement: ” Based on our internal systems security monitoring and protocol, Follett identified the issue and immediately took actions to address and close the vulnerability on behalf of our customers.
“Follett takes data security very seriously and as a result, we are continuously monitoring our systems and software for threats, and enhancing our technology environment with the goal of minimizing risks for the institutions we serve.”
Among the non-Follet files recovered were several different backdoors including “mela”, “shellinvoker”, “jbossinvoker”, “zecmd”, “cmd”, “genesis”, “sh3ll” and possibly “Inovkermngrt” and “jbot”, suggesting these systems have been vulnerable to past malware infections.