A new ransomware called JungleSec has been discovered exploiting unsecured Intelligent Platform Management Interface (IPMI) cards to infect Windows, Mac and Linux systems. The ransomware was first reported in early November 2018. However, there is no indication as to how many systems have been affected by the malware.
BleepingComputer reported that the attackers leveraged several loopholes in targeted servers’ IPMI interface to install JungleSec. In one instance, the default password of a targeted IPMI interface was used to launch the malware, while in another case, the vulnerabilities of IPMI interface - despite disabling the Admin user - was used to gain access to servers.
Once the attackers gain access to the servers, they could reboot the computer into single user mode to gain root access. This would enable the attackers to download and compile the ccrypt encryption program. This program is later used by attackers to encrypt a victim’s files. Once the files are encrypted, the ransomware would then display a message in the form of ENCRYPTED.md file, asking for ransom.
The ransom note contains instructions for payment processes. The victim is instructed to contact the attackers at junglesec@anonymousspeech[.]com and send 0.3 bitcoins to the enclosed bitcoin address to regain access to their files.
A victim who goes by the name of pupper on Twitter told BleepingComputer that the same attackers had left behind a backdoor to listen on TCP port 64321 and create a firewall to allow access to this port.
Commenting on their work process, pupper further said, “They mounted all the qemu/kvm disks so they could also encrypt all the files inside VMs. However the hacker never managed to infect more than 1 useless home directory and 1 KVM machine though,” BleepingComputer reported.
Users are urged to properly secure IPMI interfaces to prevent attackers from compromising a server. It is also necessary to change IPMI default passwords set by the manufacturers.
Administrators should also configure ACL (Access Control List) to allow only certain IP addresses to access the IPMI interface. In addition, IPMI interfaces should be configured to listen in on an internal IP address that is only accessible by local admins or through a VPN connection.