Three million. That’s the number of servers that are at risk right now around the world.
The reasons why they are at risk are so obvious that it is almost laughable that they are at risk in the first place. But there is nothing funny about compromised systems and data being held for ransom. This is serious business with millions of dollars at stake.
Insecure apps, unimplemented updates and just plain old bad patching practices, have left three million servers vulnerable to the workings of today’s cybercriminals. This is just straight up negligence. Apps can be secured. Updates can be, well, updated. And patching protocols can be put into place. All these are fairly easy tasks. They do not need the intervention of specialists or upper management. They do not need big budgets or protracted deadlines, and is the unfortunate result of laziness and incompetence.
Yes, 3.2 million servers is a lot of servers. It will take time, it will take resources, but according to Cisco Systems’ Talos security service, by continuing such lackadaisical practices these server admins are just inviting trouble. The Talos team has seen evidence that ransomware attackers have already begun exploiting this issue. They note that cybercriminals are using these vulnerabilities to spread ransomware like a plague. The tough part is that unlike a virus in which an infected system will show symptoms right away, ransomware can hide and lurk in systems for weeks, months and even years before they are activated.
In an initial scan of 1,600 IP addresses, Talos’ security team discovered 2,100 installed backdoors.
These IPs span the gamut of users from everyday individuals, to schools, banks, large corporations, small businesses and even government entities. However, it seems that Talos’ diligent work has somewhat paid off. Cisco System’s crack security team has identified a library management system called Destiny, which was produced by Follett learning. An in depth analysis of a number of compromised systems show that the overwhelming majority of them have Destiny in common. Destiny is a legitimate library management tool used by many K-12 schools worldwide and its publisher, Follett learning is a legitimate company. Neither the software nor the company are trying to be malicious. However, it seems that Follett neglected to devise and implement a patch on the current Destiny system, and attackers have been using this security gap to gain access to the servers that Destiny has been installed on.
Follett has since jumped all over the issue and have created and implemented a patch. That is all well and good but the damage was already done to the systems and servers that were infected by the ransomware Trojans. And, this brings to roundabout nature of dealing with this entire issue. Actions are often taken only after a breach or attacked has been registered. Software publishers, server admins and service providers can talk all they want about proactive security and persistent monitoring, but until they start to consistently deliver on basic things correct like updates and patches, then it’s just all talk.