Bleeping Computer have reported on a ransomware campaign which infected systems via unsecured Intelligent Platform Management Interface (IPMI) cards. The ransomware dubbed as “JungleSec” has been active since early November 2018, and has affected Windows, Linux, and macOS platforms.
IPMI serves as an interface which allows an administrator to remotely manage a system. However, if the interface is not configured properly, an adversary could take full control of a vulnerable system. In some cases, it was determined that the initial infection vector was via the IPMI interface. Others, leveraged access possibly via other vulnerabilities. Once the adversary had access to the system, a reboot to single user mode would be executed in order to gain root access, allowing the adversary to download and compile the ccrypt encryption program.
Upon download, the adversary would manually execute a command similar to “/usr/local/bin/ccrypt -e -f -S [email protected] -s -r -l /var/lib” to encrypt files on a vulnerable system. Additionally, the adversary “left behind a backdoor that listens on TCP port 64321 and created a firewall rule to allow access to this port” (“-A INPUT -p tcp -m tcp –dport 64321 -j ACCEPT”).
To make matters worst, multiple victims paid the ransom, but did not obtain a response from the adversary nor recovered their encrypted files.
Indicators of Compromise
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.