Cisco Talos researchers say that 3.2 million servers have a JBoss vulnerability that could potentially be exploited by SamSam ransomware. Even more worrying, the researchers found 2,100 backdoors across 1,600 servers that are “already compromised and potentially waiting for a ransomware payload,” Cisco Talos wrote.
Attackers used a JBoss-specific exploit called JexBoss — a Jboss verification and exploitation tool — to compromise vulnerable servers and then install webshells and backdoors for remote access.