Hackers infect Linux servers with JungleSec Ransomware via IPMI Remote console

Since November, a new ransomware called JungleSec has been infecting servers through unsecured IPMI (Intelligent Platform Management Interface) cards.

Security experts at BleepingComputer wrote about a new ransomware called JungleSec that is infecting victims through unsecured IPMI (Intelligent Platform Management Interface) cards.

The ransomware was first observed early November.

The IPMI is a set of computer interface specifications for an autonomous computer subsystem that provides management and monitoring capabilities independently of the host system’s CPU, firmware (BIOS or UEFI) and operating system. It is built into server motherboards or installed as an add-on card and allow remote administration of the computer.

Misconfigured IPMI interface could allow attackers to remotely access a system and control it using default credentials.

“In conversations between BleepingComputer and two victims it was discovered that attackers installed the JungleSec ransomware through the server’s IPMI interface.” reads the post published by BleepingComputer.

“In one case, the IPMI interface was using the default manufacturer passwords. The other victim stated that the Admin user was disabled, but the attacker was still able to gain access through possible vulnerabilities.”

Experts pointed out that once the user gained access to the server, the attackers would reboot the computer into single user mode to gain root access, then they downloaded and compiled the ccrypt encryption program.

Once encrypted the files, attackers drop the ransom note (ENCRYPTED.md) for the JungleSec Ransomware that contains instructions to pay the ransom and decrypt the files.

Attackers use the junglesec@anonymousspeech[.]com to communicated with the victims and ask a ransom of 0.3 bitcoins.

BleepingComputer reported that many victims have paid the ransom without receiving a response from the attacker.

Experts recommend securing the IPMI interface by changing the default password and configuring ACLs that allow only certain IP addresses to access the IPMI interface.

Another suggestion is to add a password to the GRUB bootloader making impossible for the attackers to reboot the system into single user mode.

Further details, including IoCs, are reported in the analysis published by BleepingComputer.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – JungleSec, ransomware)

[adrotate banner=”5″] [adrotate banner=”13″]

Pierluigi Paganini: Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

This website uses cookies.