Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
SEVERITY: MEDIUM
CATEGORY: EMERGING THREAT
ANALYSIS SUMMARY:
Insecure IPMI (Intelligent Platform Management Interface) cards are being used to deploy a ransomware called JungleSec. Having accessed the servers, attackers can reboot the computer into single user mode to gain root access, so that they can download and compile the ccrypt encryption program.
Researchers at bleeping computer explained that attackers leveraged several loopholes in targeted servers’ IPMI interface to install JungleSec. In one case, the victim had not changed the default password of IPMI interface, whereas the other case involved exploitation of vulnerabilities in the IPMI interface despite disabling the Admin user.
The ccrypt encryption program is downloaded to encrypt a victim’s files. Once it has encrypted files, it leaves a ransom note as ENCRYPTED.md and demands 0.3 bitcoins as ransom, with below content.
What happen to my data ?
———————–
Your data are encrypted. If you try to bruteforce, change the path, the name or do anything that can alterate a single byte of a file(s) will result to a fail of the recovery process, meaning your file(s) will be loss for good.How can I retrieve them ?
————————- –
To known the process, you must first send 0.3 bitcoin to the following address : [bitcoin_address]
– Once the payment made, send your email address to junglesec@anonymousspeech.com, do not forget to mention the IP of server/computerWill you send the process recovery once payment is made ?
——————————————————– –
We have no interest to not send you the recovery process if payment was made. – Once the payment is made, you should receive the recovery process to decrypt your data in less 24 hoursBy Jungle_Sec
The attackers also left behind a backdoor to listen on TCP port 64321. Furthermore, they searched for and mounted virtual machine disks, but could not encrypt them and only succeeded at encrypting a useless home directory and a kvm machine.
It was also reported that many victims have paid ransom and still haven’t received a response to decrypt their files, which further asserts why ransom payments should not be made.
AFFECTED PRODUCTS
Linux, Mac, Windows
INDICATORS OF COMPROMISE
Filename:
Email Subject:
junglesec@anonymousspeech[.]com
REMEDIATION