Hackers infect Linux servers with JungleSec Ransomware via IPMI Remote console

Since November, a new ransomware called JungleSec has been infecting servers through unsecured IPMI (Intelligent Platform Management Interface) cards.

Security experts at BleepingComputer wrote about a new ransomware called JungleSec that is infecting victims through unsecured IPMI (Intelligent Platform Management Interface) cards.

The ransomware was first observed early November.

The IPMI is a set of computer interface specifications for an autonomous computer subsystem that provides management and monitoring capabilities independently of the host system’s CPU, firmware (BIOS or UEFI) and operating system. It is built into server motherboards or installed as an add-on card and allow remote administration of the computer.

Misconfigured IPMI interface could allow attackers to remotely access a system and control it using default credentials.

“In conversations between BleepingComputer and two victims it was discovered that attackers installed the JungleSec ransomware through the server’s IPMI interface.” reads the post published by BleepingComputer.

“In one case, the IPMI interface was using the default manufacturer passwords. The other victim stated that the Admin user was disabled, but the attacker was still able to gain access through possible vulnerabilities.”

Experts pointed out that once the user gained access to the server, the attackers would reboot the computer into single user mode to gain root access, then they downloaded and compiled the ccrypt encryption program.

Once encrypted the files, attackers drop the ransom note (ENCRYPTED.md) for the JungleSec Ransomware that contains instructions to pay the ransom and decrypt the files.

Attackers use the junglesec@anonymousspeech[.]com to communicated with the victims and ask a ransom of 0.3 bitcoins.

BleepingComputer reported that many victims have paid the ransom without receiving a response from the attacker.

Experts recommend securing the IPMI interface by changing the default password and configuring ACLs that allow only certain IP addresses to access the IPMI interface.

Another suggestion is to add a password to the GRUB bootloader making impossible for the attackers to reboot the system into single user mode.

Further details, including IoCs, are reported in the analysis published by BleepingComputer.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – JungleSec, ransomware)

[adrotate banner=”5″] [adrotate banner=”13″]