Tuesday, May 17, 2016

Making Friends By Proactive Notification

This blog post is authored by Tazz.

Talos has continued to observe ongoing attacks leveraging the use of JBoss exploits. Through our research efforts, we have identified an additional 600 or so compromised hosts which contain webshells due to adversaries compromising unpatched JBoss environments. In response to this, Talos has been working to notify victims of these compromised hosts so that appropriate remediation may take place.This blog post outlines the notification process and provides additional indicators which you can use to review your own JBoss environments, such as a list of the 500 most common webshells we have observed in the wild.

Why Did I Get Notified?

After identifying the IP address of the hosts with one or more webshells, we extracted the contact email addresses provided in the WHOIS record of the organizations identified as the owner. The notification email contains a link which you can use to view this information. We are sending notifications via email to all listed email addresses as we have found many organizations where the designated abuse contact email listed is no longer valid. By emailing all available contacts we maximize the chances of successful notification.

If your organization hasn't reviewed its contact information on file with your Internet Registrar lately, now would be a great time to do that. If you're not sure who your registrar is, you can find them here https://www.iana.org/numbers.

  • AFRINIC - Africa Region
  • APNIC - Asia/Pacific Region
  • ARIN - Canada, USA, and some Caribbean Islands
  • LACNIC - Latin America and some Caribbean Islands
  • RIPE NCC - Europe, the Middle East, and Central Asia

Is This Everything?

We found individual hosts with more than 100 different webshells.Our notification process is providing only the top 10 webshells for the sake of expediency. We are also providing a list of the top 500+ webshells we observed within the IOC section below. Since most organizations track vulnerabilities or incidents per host, we are sending one email per IP address. As a result, you may receive multiple emails with the same email subject. Please pay close attention to the body of the email. It is possible that from the time we identified a webshell on a host and the time we were able to notify you, additional webshells may have been installed on the same host or other hosts accessible from the compromised asset. It is highly recommended that a full investigation be conducted to determine the scope of access bad actors may have to your network and other resources.

Why Is Talos Doing This?

We are committed to making the digital world we live in safer for our customers, families, friends and neighbors around the world. We are sending these notifications freely, with no obligation. In your notification there is a list of requested details that can help us continue in this endeavour. If you are able and willing to share anything with us, you will find our PGP key here. This can be used for secure email and encryption of any related files.

We do understand that at times organizations are not able to share information. If this is the case, then if at all possible, we would greatly appreciate it if you can close the loop with us and let us know when a host has been remediated by sending an email to talos-abuse-notifications@cisco.com and include the IP address(es).

For more information on what to do for/with the compromised host, please see the Recommended Remediation section of our previous blog post on JBoss Backdoor:


Here is a list of over 500 webshells we have detected. The format if you want to check for one of the webshells on your host is http://<ip_address>/<webshell>

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.