"The attackers are looking to circumvent methods that are supposed to be hardened because they expect vendors not to do a good job hardening their administrative access or functions," says Barry Shteiman, director of security strategy for Imperva. "Because of that, attackers are using that to inject standard or classic forms of attack -- in this case, a webshell -- which generally allows them full control over the server."
In this instance, Shteiman and his team noticed the attack trend after seeing a surge of attacks in online systems that demonstrated features they hadn't commonly seen before. Looking into it further, the team found the attacks all shared a distinct commonality: They were all suffered by JBoss servers.
"When we looked into it, we found that JBoss has a component called HTTPInvoker, and that component was found vulnerable, similarly to some other vulnerabilities we looked into recently that basically allowed an administrative function to be accessed without actually being an administrator logged in," Shteiman says. "In this case, it's a function that is supposed to populate new servlets or new pieces of code in the server. In a default state, JBoss allows that function to be used by anyone that wants it."
[How do you know if you've been breached? See Top 15 Indicators of Compromise.]
Attackers leveraged that hole to inject a webshell on vulnerable servers and achieve "full control over the data center," says Shteiman. He says that his research has shown there are likely around 500 JBoss servers currently compromised at the moment, by anywhere between 15 to 17 flavors of webshells. Among those, the most popular are a webshell called pwn.jsp that was demonstrated in an exploit published last month, along with a more slick crimeware webshell called JspSpy.
As Shteiman explains, JBoss AS is the de facto server platform for enterprises writing applications in Java.
"A lot of trading companies and banks are using it to hold up their main banking applications," says Shteiman. Even more frightening is its popularity among technology vendors that use it as a component for enterprise products and who could potentially be compromised before even shipping, essentially sending out products with built-in backdoors, he says.
The vulnerability in question was actually found in 2011 by Luca Carettoni, at the time a senior security consultant for Matasano Security, who then reported about 7,000 servers online susceptible to the vulnerability. Since then, rather than declining, the number of vulnerable servers has tripled, says Shteiman, who believes that part of the problem was a misclassification in the CVE database.
"It was classified as a vulnerability that affected product elements of HP ProCurve, and therefore I don't think anyone ever understood the research to its full effect," he says.
Nevertheless, security experts say this is something that should have been caught by more organizations, given the age of the vulnerability discovery.
"When the solution to this JBoss exploit is to simply update the affected servers, there is hardly any excuse for anyone to be affected by it, especially when the vulnerability has been discovered more than two years ago," says Michael Yuen, security engineer at application security firm Cenzic.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.