Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
March 15, 2023Severity High Analysis Summary According to researchers, a Golang-based botnet named GoBruteforcer has been discovered, which is specifically targeting web servers running FTP, MySQL, phpMyAdmin, and […]March 15, 2023Severity High Analysis Summary DarkComet RAT (Remote Administration Tool) is a type of malware that is designed to allow attackers to gain remote access to a […]March 15, 2023Severity High Analysis Summary CVE-2023-23410 CVSS:7.8 Microsoft Windows could allow a local authenticated attacker to gain elevated privileges on the system, caused by a flaw in […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
March 15, 2023Severity High Analysis Summary According to researchers, a Golang-based botnet named GoBruteforcer has been discovered, which is specifically targeting web servers running FTP, MySQL, phpMyAdmin, and […]March 15, 2023Severity High Analysis Summary DarkComet RAT (Remote Administration Tool) is a type of malware that is designed to allow attackers to gain remote access to a […]March 15, 2023Severity High Analysis Summary CVE-2023-23410 CVSS:7.8 Microsoft Windows could allow a local authenticated attacker to gain elevated privileges on the system, caused by a flaw in […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Rewterz Threat Alert – Financial sector hit by malicious email campaign that abuses Google Cloud Storage
December 27, 2018Rewterz Threat Advisory – CVE-2018-0732 – F5 Multiple Products OpenSSL Denial of Service Vulnerability
December 28, 2018
SEVERITY: MEDIUM
CATEGORY: EMERGING THREAT
ANALYSIS SUMMARY:
Insecure IPMI (Intelligent Platform Management Interface) cards are being used to deploy a ransomware called JungleSec. Having accessed the servers, attackers can reboot the computer into single user mode to gain root access, so that they can download and compile the ccrypt encryption program.
Researchers at bleeping computer explained that attackers leveraged several loopholes in targeted servers’ IPMI interface to install JungleSec. In one case, the victim had not changed the default password of IPMI interface, whereas the other case involved exploitation of vulnerabilities in the IPMI interface despite disabling the Admin user.
The ccrypt encryption program is downloaded to encrypt a victim’s files. Once it has encrypted files, it leaves a ransom note as ENCRYPTED.md and demands 0.3 bitcoins as ransom, with below content.
What happen to my data ?
———————–
Your data are encrypted. If you try to bruteforce, change the path, the name or do anything that can alterate a single byte of a file(s) will result to a fail of the recovery process, meaning your file(s) will be loss for good.How can I retrieve them ?
————————- –
To known the process, you must first send 0.3 bitcoin to the following address : [bitcoin_address]
– Once the payment made, send your email address to junglesec@anonymousspeech.com, do not forget to mention the IP of server/computerWill you send the process recovery once payment is made ?
——————————————————– –
We have no interest to not send you the recovery process if payment was made. – Once the payment is made, you should receive the recovery process to decrypt your data in less 24 hoursBy Jungle_Sec
The attackers also left behind a backdoor to listen on TCP port 64321. Furthermore, they searched for and mounted virtual machine disks, but could not encrypt them and only succeeded at encrypting a useless home directory and a kvm machine.
It was also reported that many victims have paid ransom and still haven’t received a response to decrypt their files, which further asserts why ransom payments should not be made.
AFFECTED PRODUCTS
Linux, Mac, Windows
INDICATORS OF COMPROMISE
Filename:
- ENCRYPTED.md
- key.txt
Email Subject:
junglesec@anonymousspeech[.]com
REMEDIATION
- IPMI interfaces should be secured properly to prevent compromise of a server.
- Immediately change IPMI default passwords, set by the manufacturers.
- Administrators must configure ACL (Access Control List) allowing only certain IP addresses to access the IPMI interface.
- IPMI interfaces should be configured to listen in on an internal IP address that is only accessible by local admins or through a VPN connection.
- For added security, add a password to the GRUB bootloader making it very difficult for the attackers to reboot the system into single user mode