Linux servers infected with new ransomware variant

A new type of ransomware has been infecting servers over unsecured IPMI cards

Cybersecurity and ethical hacking specialists from the International Institute of Cyber Security have reported the emergence of a new ransomware variant. The malicious program, called JungleSec, has been spread on victim systems via Intelligent Platform Management Interface (IPMI) cards. According to reports, this ransomware was recently discovered in mid-November.

IPMI is a set of computer interface specifications for a standalone computer subsystem that provides management and monitoring functions independently of the CPU, firmware (BIOS or UEFI), and host operating system. It is integrated into the server’s motherboards or could be installed as an additional card and allows remote computer management.

According to experts’ reports on cybersecurity, a misconfigured IPMI interface could allow an attacker to remotely access a system and control it using the factory access credentials. Thanks to evidence gathered by experts on cybersecurity, it was discovered that attackers installed JungleSec using the compromised server’s IPMI interface.

“In one of the infection cases we analyzed, sysadmins did not change the default passwords for the IPMI interface. Another victim claimed that the admin user function was disabled, but somehow the attackers got access by exploiting vulnerability”.

Experts noted that once the user gained access to the server, attackers would restart the computer in single-user mode to gain root access, then downloaded and compiled the ccrypt encryption program.

After encrypting the files, the attackers send the ransom note that contains the instructions for performing the transfer and restoring the files.

Attackers use the email address junglesec@anonymousspeech[.]com to communicate with victims and demand 0.3 Bitcoin. According to expert reports on cybersecurity, some victims have made the transfers, but never received a response from hackers.

Experts recommend protecting the IPMI interface by changing the default password and configuring ACLs that allow only certain IP addresses to access the IPMI interface.