• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – Financial sector hit by malicious email campaign that abuses Google Cloud Storage
December 27, 2018
Rewterz Threat Advisory – CVE-2018-0732 – F5 Multiple Products OpenSSL Denial of Service Vulnerability
December 28, 2018

Rewterz Threat Alert – JungleSec Ransomware Infects Victims Through IPMI Remote Consoles

December 28, 2018

SEVERITY: MEDIUM

 

 

CATEGORY: EMERGING THREAT

 

 

ANALYSIS SUMMARY: 

 

 

Insecure IPMI (Intelligent Platform Management Interface) cards are being used to deploy a ransomware called JungleSec. Having accessed the servers, attackers can reboot the computer into single user mode to gain root access, so that they can download and compile the ccrypt encryption program.

 

Researchers at bleeping computer explained that attackers leveraged several loopholes in targeted servers’ IPMI interface to install JungleSec. In one case, the victim had not changed the default password of IPMI interface, whereas the other case involved exploitation of vulnerabilities in the IPMI interface despite disabling the Admin user.

 

The ccrypt encryption program is downloaded to encrypt a victim’s files. Once it has encrypted files, it leaves a ransom note as ENCRYPTED.md and demands 0.3 bitcoins as ransom, with below content.

 

What happen to my data ?
———————–
Your data are encrypted. If you try to bruteforce, change the path, the name or do anything that can alterate a single byte of a file(s) will result to a fail of the recovery process, meaning your file(s) will be loss for good.

How can I retrieve them ?
————————- –
To known the process, you must first send 0.3 bitcoin to the following address : [bitcoin_address]
– Once the payment made, send your email address to junglesec@anonymousspeech.com, do not forget to mention the IP of server/computer

Will you send the process recovery once payment is made ?
——————————————————– –
We have no interest to not send you the recovery process if payment was made. – Once the payment is made, you should receive the recovery process to decrypt your data in less 24 hours

By Jungle_Sec

 

The attackers also left behind a backdoor to listen on TCP port 64321. Furthermore, they searched for and mounted virtual machine disks, but could not encrypt them and only succeeded at encrypting a useless home directory and a kvm machine.

 

It was also reported that many victims have paid ransom and still haven’t received a response to decrypt their files, which further asserts why ransom payments should not be made.

 

 

AFFECTED PRODUCTS

 

Linux, Mac, Windows

 

 

INDICATORS OF COMPROMISE

 

Filename:

  • ENCRYPTED.md
  • key.txt

 

Email Subject:

junglesec@anonymousspeech[.]com

 

 

REMEDIATION

 

 

  • IPMI interfaces should be secured properly to prevent compromise of a server.
  • Immediately change IPMI default passwords, set by the manufacturers.
  • Administrators must configure ACL (Access Control List) allowing only certain IP addresses to access the IPMI interface.
  • IPMI interfaces should be configured to listen in on an internal IP address that is only accessible by local admins or through a VPN connection.
  • For added security, add a password to the GRUB bootloader making it very difficult for the attackers to reboot the system into single user mode
  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.