{"id":80133,"date":"2016-04-18T20:50:37","date_gmt":"2016-04-19T00:50:37","guid":{"rendered":"http:\/\/rbach.net\/blog\/index.php\/"},"modified":"2021-07-13T16:52:31","modified_gmt":"2021-07-13T20:52:31","slug":"schools-face-ransomware-risk","status":"publish","type":"post","link":"https:\/\/rbach.net\/index.php\/schools-face-ransomware-risk\/","title":{"rendered":"Schools Face RansomWare Risk"},"content":{"rendered":"

\"\"More than 2,000 machines at K12 schools<\/strong>\u00a0are infected with a backdoor in unpatched versions of JBoss<\/a><\/strong> that could be used at any moment to install ransomware<\/a> such as Samsam<\/a><\/strong>. TargetTech<\/a><\/em> defines ransomware as\u00a0malware<\/a>\u00a0designed for\u00a0data kidnapping<\/a>, an exploit<\/a> in which the attacker encrypt<\/a>s the victim’s data and demands payment in Bitcoins<\/a> for the decryption key<\/a>.<\/p>\n

\"JBoss\"Ransomware has typically been spread through drive-by downloads or spam emails with malicious attachments. One of the latest victims of Samsam was MedStar Health<\/a>, a not-for-profit organization that runs 10 hospitals in the Washington, D.C., area.<\/p>\n

PCWorld<\/em><\/a>\u00a0reports<\/a> that the\u00a0Cisco<\/a><\/strong> (CSCO<\/a>) Talos<\/strong> threat-intelligence<\/a> organization, announced<\/a>\u00a0that roughly 3.2 million machines worldwide are at risk<\/strong>. The article says that many of those already infected run Follett’s Destiny library-management software<\/a><\/strong>, used by K12 schools worldwide. According to Cisco, Follett responded quickly to the vulnerability,” Follett identified the issue and immediately took actions to address and close the vulnerability”.<\/p>\n

\"Bitcoin\"<\/a>In a presser<\/a>, Follett offers patches for systems<\/strong> running version 9.0 to 13.5 of its software and says it will help remove any backdoors. The author states that Follett technical support staff will reach out to customers found to have suspicious files on their systems. Follett even offers SNORT<\/a> detection rules<\/strong> on the presser page.<\/p>\n

Snort is a highly regarded open-source<\/strong>, freeware network monitoring tool that detects attack methods, including denial of service<\/a>, buffer overflow<\/a>, CGI<\/a> attacks, stealth<\/a> port<\/a>\u00a0scans, and SMB probe<\/a>s. When suspicious behavior is detected, Snort sends a real-time alert to Syslog<\/i>, a separate ‘alerts’ file, or to a pop-up<\/a>\u00a0window.<\/p>\n

JBoss<\/a><\/strong> the vulnerable underlying system is described<\/a> as an open-source Red Hat<\/a><\/strong> product that serves as an application server<\/a> written in Java<\/a><\/strong> that can host business components developed in Java. Essentially, JBOSS is an open source<\/a> implementation of J2EE<\/a> that relies on the Enterprise JavaBeans<\/a> specification for functionality.<\/p>\n

PCWorld<\/em> reports that compromised JBoss servers typically contain more than one Web shell. Talos advises that it is important to check the contents of a server’s jobs status page<\/strong>. “This implies that many of these systems have been compromised several times by different actors,” the company said.<\/p>\n

\"Backup\"<\/a>Web shells are scripts that indicate an attacker has already compromised a server and can remotely control it. The list of those associated with this exploit is listed in Talos’s blog post<\/a>.<\/p>\n

Companies that find a Web shell installed should begin by removing external access to the server, Talos said in the article. The security firm recommends quick action.<\/p>\n

Ideally, you would also re-image the system and install updated versions of the software … If for some reason you are unable to rebuild completely, the next best option would be to restore from a backup prior to the compromise and then upgrade the server to a non-vulnerable version before returning it to production.<\/em><\/p>\n

rb-<\/em><\/strong><\/p>\n

I have worked with a number of customers on their library\u00a0automation projects. The cost of these systems is as usual in the data. There is a great deal of time and effort that goes into creating the proper MARC records<\/a>, especially for books that are out of print and kiddie books. If these files get locked up by ransomware, the system is useless and expensive to replace.<\/em><\/p>\n

K12 schools are notoriously cheap, but the advice is the same as always,<\/em><\/p>\n

    \n
  1. Keep your software UP TO DATE<\/strong><\/em><\/li>\n
  2. Use a real virus scanner<\/strong> on your servers and administrative stations<\/em><\/li>\n
  3. Back-Up – Back-Up – Back-Up<\/strong> –\u00a0With a good backup, you can just blow the machine away, re-install and restore the data. and be back in business.<\/em><\/li>\n<\/ol>\n
    Related articles<\/h6>\n