Rewterz Threat Alert – JungleSec Ransomware Infects Victims Through IPMI Remote Consoles

SEVERITY: MEDIUM

CATEGORY: EMERGING THREAT

ANALYSIS SUMMARY: 

Insecure IPMI (Intelligent Platform Management Interface) cards are being used to deploy a ransomware called JungleSec. Having accessed the servers, attackers can reboot the computer into single user mode to gain root access, so that they can download and compile the ccrypt encryption program.

Researchers at bleeping computer explained that attackers leveraged several loopholes in targeted servers’ IPMI interface to install JungleSec. In one case, the victim had not changed the default password of IPMI interface, whereas the other case involved exploitation of vulnerabilities in the IPMI interface despite disabling the Admin user.

The ccrypt encryption program is downloaded to encrypt a victim’s files. Once it has encrypted files, it leaves a ransom note as ENCRYPTED.md and demands 0.3 bitcoins as ransom, with below content.

What happen to my data ?
———————–
Your data are encrypted. If you try to bruteforce, change the path, the name or do anything that can alterate a single byte of a file(s) will result to a fail of the recovery process, meaning your file(s) will be loss for good.

How can I retrieve them ?
————————- –
To known the process, you must first send 0.3 bitcoin to the following address : [bitcoin_address]
– Once the payment made, send your email address to junglesec@anonymousspeech.com, do not forget to mention the IP of server/computer

Will you send the process recovery once payment is made ?
——————————————————– –
We have no interest to not send you the recovery process if payment was made. – Once the payment is made, you should receive the recovery process to decrypt your data in less 24 hours

By Jungle_Sec

The attackers also left behind a backdoor to listen on TCP port 64321. Furthermore, they searched for and mounted virtual machine disks, but could not encrypt them and only succeeded at encrypting a useless home directory and a kvm machine.

It was also reported that many victims have paid ransom and still haven’t received a response to decrypt their files, which further asserts why ransom payments should not be made.

AFFECTED PRODUCTS

Linux, Mac, Windows

INDICATORS OF COMPROMISE

Filename:

• ENCRYPTED.md
• key.txt

Email Subject:

junglesec@anonymousspeech[.]com

REMEDIATION

• IPMI interfaces should be secured properly to prevent compromise of a server.
• Immediately change IPMI default passwords, set by the manufacturers.
• Administrators must configure ACL (Access Control List) allowing only certain IP addresses to access the IPMI interface.
• IPMI interfaces should be configured to listen in on an internal IP address that is only accessible by local admins or through a VPN connection.
• For added security, add a password to the GRUB bootloader making it very difficult for the attackers to reboot the system into single user mode