For better or worse, InfoSec researchers are seemingly always seeking new methods to attack systems. There’s always something new for targets, methods, and data on the target. This industry is not static by any means due to this and also the new publications and journals showing the techniques used. This may even be termed as being dynamic. This attribute can both be a positive, and negative.
There is a new ransomware variant in the wild. This began to be noted in November 2018, and has been named JungleSec. The attack vector with this variant is through the unsecured intelligent platform management interface (IPMI). This began with people using Windows, Linux, and Mac systems. After an investigation, discovered the users were infected via an unsecured IPMI device. The IPMI cards allow administrators to remotely manage a computer, power cycle the system, secure system information, and gain access to a KVM.
As a rule of thumb and best practice, the admin or user should always change the default password. In certain instances where this is not done, unauthorized access to the system may occur. There may also be other avenues into the system through these sources. Once the attackers have access, the attackers would reboot the system into a single user mode. The attacker then is able to gain root access. At this point, the encryption program was downloaded. The attacker then manually executes the encryption on the victim’s files, and the attackers would enter the passcode. The attackers also have tried to mount VM drives and encrypt them, unsuccessfully. With this ransomware piece, the attackers have included a back door on port 6432.
For the User
The ransomware leaves the user with an empty feeling in their stomach. When the user attempts to do work on the system, they receive the infamous message (aka ransom note) instructing the user to contact the attacker an email address, and pay 0.3 bitcoins to their address for the decrypt key.
There are numerous problems with this. After payment, they may or may not actually receive the key. The attackers may also install their own additional back doors, so they can gain access again at a later point in time. Without a tested set of back-ups, however, this may be your only avenue towards getting the systems up and running.
It is always a good idea to properly configure the equipment and system. There are manuals, tutorials, and peers to assist with this. To not do this is equal to inviting an issue.
Abrams, L. (2018, December 26). JungleSec rnasomware infects victims through IPMI remote consoles. Retrieved from https://www.bleepingcomputer.com/news/security/junglesec-ransomware-infects-victims-through-ipmi-remote-consoles/
Paganini, P. (2018, December27). Hackers infect linux servers with junglesec ransomware via IPMI remote console. Retrieved from https://securityaffairs.co/wordpress/79219/malware/junglesec-ransomware-ipmi.html
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.
Share on Facebook
Share on Twitter
I'm busy working on my blog posts. Watch this space!