Defending Against Java Deserialization Ransomware

July 13, 2016

What is different about the recent rash of ransomware attacks against hospitals (besides the level of callousness it takes to hold the well-being of hospital patients for ransom)? CyberWatch brings us up to date in, “My Layman’’s Terms: The Java Deserialization Vulnerability in Current Ransomware.” Writer Cheryl Biswas begins by assuring us it is practicality, not sheer cruelty, that has hackers aiming at hospitals. Other entities, like law enforcement agencies, which rely on uninterrupted access to their systems to keep people safe are also being attacked. Oh, goody.

The problem begins with a vulnerability at the very heart of any Java-based system, the server. And here we thought open source was more secure than proprietary software. Biswas informs us:

“This [ransomware] goes after servers, so it can bring down entire networks, and doesn’t rely on the social engineering tactics to gain access. It’s so bad US-CERT has issued this recent advisory. I’ve laid out what’s been made available on just how this new strain of ransomware works. And I’ve done it in terms to help anybody take a closer look at the middleware running in their systems currently. Because a little knowledge could be dangerous thing used to our advantage this time.”

The article goes on to cover what this strain of ransomware can do, who could be affected, and how. One key point—anything that accepts serialized Java objects could be a target, and many Java-based middleware products do not validate untrusted objects before deserialization. See the article for more technical details, and for Biswas’ list of sources. She concludes with these recommendations:

“Needs to Happen:

“Enterprises must find all the places they use deserialized or untrusted data. Searching code alone will not be enough. Frameworks and libraries can also be exposed.

“Need to harden it against the threat.

“Removing commons collections from app servers will not be enough. Other libraries can be affected.

“Contrast Sec has a free tool for addressing issue. Runtime Application Self-Protection RASP. Adds code to deserialization engine to prevent exploitation.”

Organizations the world over must not put off addressing these vulnerabilities, especially ones in charge of health and safety.

Cynthia Murrell, July 13, 2016

Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph

Written by Stephen E. Arnold · Filed Under Analytics, Business strategy, Data, Enterprise, News, Technology

Comments

Comments are closed.

Search the site
Subscribe to Beyond Search
Feature archive
News archive

Stephen E. Arnold monitors search, content processing, text mining and related topics from his high-tech nerve center in rural Kentucky. He tries to winnow the goose feathers from the giblets. He works with colleagues worldwide to make this Web log useful to those who want to go "beyond search". Contact him at sa [at] arnoldit.com. His Web site with additional information about search is arnoldit.com.