JungleSec Ransomware via IPMI

SUMMARY

Attackers can apply the JungleSec Ransomware to IPMI-enabled systems with default passwords.

DESCRIPTION

IPMI (Intelligent Platform Management Interface) is system management firmware included on main boards of Unitrends appliances (1U and above).   IPMI provides system management data and access even when the installed OS cannot be reached.  Users configure IPMI by following the KB titled Configuring and using IPMI LAN for remote access.   IPMI LAN must be secured as any other login would be ensuring that only authorized persons can reach the IP and have the appropriate login.  


This JungleSec malware attack first occurred in November 2018.
The attackers would utilize IPMI LAN access to reboot the computer into single user mode to gain root access, then they downloaded and compiled a ccrypt encryption program.  Once the files are encrypted, attackers drop the ransom note (ENCRYPTED.md) for the JungleSec Ransomware that contains instructions to pay the ransom and decrypt the files.

RESOLUTION

The IPMI LAN server management feature is very useful, and is safe if configured properly.

Resolution to protect against JungleSec and similar attacks by properly securing IPMI in your environment:

1) Secure the IPMI LAN interface by setting a password for the IPMI ADMIN user that is not the default.     See KB Configuring and using IPMI LAN for remote access
2) Where possible, configure router ACLs that allow only certain IP addresses to access the IPMI LAN interface.
3) Add a password to the GRUB bootloader making it impossible for attackers to reboot the system into single user mode.  This prevents any change to the boot sequence without the grub password.  This can be set with the following command from Putty or SSH:

security_option grubpasswd [grub_password]

  
Alternatively, if you do not intend to use IPMI, you can disable IPMI LAN access.
See KB Configuring and using IPMI LAN for remote access

LINK TO ADVISORIES

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Contact us