A new type of ransomware has been infecting servers over unsecured IPMI cards
Cybersecurity and ethical hacking specialists
from the International Institute of Cyber Security have reported the emergence
of a new ransomware variant. The malicious program, called JungleSec, has been spread on victim systems via Intelligent
Platform Management Interface (IPMI) cards. According to reports, this ransomware was recently discovered in mid-November.
IPMI is a set of computer interface
specifications for a standalone computer subsystem that provides management and
monitoring functions independently of the CPU, firmware (BIOS or UEFI), and
host operating system. It is integrated into the server’s motherboards or could
be installed as an additional card and allows remote computer management.
According to experts’ reports on cybersecurity, a misconfigured IPMI interface could allow an
attacker to remotely access a system and control it using the factory access
credentials. Thanks to evidence gathered by experts on cybersecurity, it was
discovered that attackers installed JungleSec using the compromised server’s
IPMI interface.
“In one of the infection cases we analyzed,
sysadmins did not change the default passwords for the IPMI interface. Another
victim claimed that the admin user function was disabled, but somehow the
attackers got access by exploiting vulnerability”.
Experts noted that once the user gained access
to the server, attackers would restart the computer in single-user mode to gain
root access, then downloaded and compiled the ccrypt encryption program.
After encrypting the files, the attackers send
the ransom note that contains the instructions for performing the transfer and
restoring the files.
Attackers use the email address
junglesec@anonymousspeech[.]com to communicate with victims and demand 0.3
Bitcoin. According to expert reports on cybersecurity, some victims have made
the transfers, but never received a response from hackers.
Experts recommend protecting the IPMI interface
by changing the default password and configuring ACLs that allow only certain
IP addresses to access the IPMI interface.
