- There are more than 2,100 backdoors installed in machines across schools, governments and aviation companies, leaving them "compromised and potentially waiting for a ransomware payload," according to Cisco Talos, a threat intelligence organization.
- Cisco began scanning networks for JBoss vectors that were the initial point where machines were compromised during Samsam crypto ransomware delivery campaigns.
- During Cisco's initial scans, they discovered more than 3.2 million machines at risk to crypto ransomware because they were running vulnerable software.
At any time, malicious users could exploit the 2,100 backdoors to install crypto ransomware. Some of the compromised servers run Follett's Destiny software, a management system that tracks school library assets. Follett already has a patch ready to close the backdoor and is working with Cisco to ensure customers know about the vulnerability and update their systems accordingly.
Normally more than one web shell is potentially compromised on JBoss servers, meaning there are possibly several different backdoors, Cisco said in the blog post. "This implies that that many of these systems have been compromised several times by different actors."
As millions of machines run with known vulnerabilities cybersecurity officials will have to work to secure their servers, whether they're in the education, government or business sectors.
Cisco previously warned of the particularly malicious nature of Samsam, sometimes called Samas, which uses a JBoss application server vulnerability to gain network access. The ransomware can operate without human intervention and can be used to target large networks rather than one computer at a time. Samsam is believe responsivle for the cyberattack on MedStar Health Inc. in March.
"The age of self-propagating ransomware, or cryptoworms, is right around the corner," Cisco's report said.