Three million servers at risk of hijacking with ransomware due to out-of-date apps

More than three million easy targets for ransomware blackmailers

More than three million servers worldwide are at risk of ransomware due to out-of-date or insecure apps, and inadequate updating and patching practices.

That is the warning from Cisco Systems' Talos security service, which warns that as many as 3.2 million servers could be compromised due to a combination of lackadaisical systems administration and application security flaws.

"Targeting vulnerabilities in servers to spread ransomware is a new dimension to an already prolific threat," the company claimed in a blog posting.

It continued: "Due to information provided from our Cisco IR Services Team, stemming from a recent customer engagement, we began looking deeper into the JBoss vectors that were used as the initial point of compromise. Initially, we started scanning the internet for vulnerable machines.

"This led us to approximately 3.2 million at-risk machines."

The company started examining JBoss server vulnerabilities following the Samsam ransomware campaign, which targeted servers for the first time rather than end-user PCs.

In total, Talos says that it scanned already compromised machines, and found 2,100 backdoors installed across some 1,600 IP addresses.

"Over the last few days, Talos has been in the process of notifying affected parties including: schools, governments, aviation companies, and more," it added, suggesting that many of the affected systems were installed with some software called "Destiny", a library management system produced by Follett Learning. Talos said that it spoke directly to this company, which has promised to patch the offending software.

"Destiny is a Library Management System designed to track school library assets and is primarily used in K-12 schools across the globe," said Talos.

"Follett technical support will then reach out to customers who are found to have suspicious files on their system. It is imperative, given the wide reach of this threat, that all Destiny users ensure that they've taken advantage of this patch."

Follett promised to act fast: "Based on our internal systems-security monitoring and protocol, Follett identified the issue and immediately took actions to address and close the vulnerability on behalf of our customers," the company claimed.

"Follett takes data security very seriously and as a result, we are continuously monitoring our systems and software for threats, and enhancing our technology environment with the goal of minimizing risks for the institutions we serve."

Talos added: "Our first recommendation, if at all possible, is to remove external access to the server. This will prevent the adversaries from accessing the server remotely. Ideally, you would also re-image the system and install updated versions of the software. This is the best way to ensure that the adversaries won't be able to access the server.

"If for some reason you are unable to rebuild completely, the next best option would be to restore from a backup prior to the compromise and then upgrade the server to a non-vulnerable version before returning it to production... As always, running a reputable anti-virus software is recommended."