Unsecured IPMI (Intelligent Platform Management Interface) cards are preparing a gateway for the JungleSec ransomware that affected multiple Linux servers. The ransomware attack was originally reported in early November 2018. Victims were seen using the Windows, Linux, and Mac; however, there were no traces of how they were being infected.
The Black Hat hackers have been using the IPMI cards to breach access and install the JungleSec ransomware, which encrypts data and demands a 0.3 bitcoin payment (about $1,100) for the unlock key.
IPMI, a management interface, is built into server motherboards or installed as an add-on card. This enables administrators to remotely manage the computer, power on and off the computer, get system information, and get access to a KVM that gives one remote console access.
The IPMI is also useful for managing servers, especially when renting servers from another company at a remote collocation center. However, if the IPMI interface is not properly configured, it could allow attackers to remotely connect to and take control of servers using default credentials.
Bleeping Computers said they have “spoken to multiple victims whose Linux servers were infected with the JungleSec Ransomware and they all stated the same thing; they were infected through unsecured IPMI devices”. Bleeping Computers first reported this story on Dec 26 indicating that the hack only affected Linux servers.
The attackers installed the JungleSec ransomware through the server’s IPMI interface. In the conversations that Bleeping computers had with two of the victims, one victim said, “that the IPMI interface was using the default manufacturer passwords.” The other victim stated that “the Admin user was disabled, but the attacker was still able to gain access through possible vulnerabilities.”
Once the attackers were successful in gaining access to the servers, the attackers would reboot the computer into single user mode in order to gain root access. Once in single user mode, they downloaded and compiled the ‘ccrypt’ encryption program.
In order to secure the IPMI interface, the first step is to change the default password as most of these cards come with default passwords Admin/Admin. “Administrators should also configure ACLs that allow only certain IP addresses to access the IPMI interface. In addition, IPMI interfaces should be configured to only listen on an internal IP address so that it is only accessible by local admins or through a VPN connection”, Bleeping computer reports.
The report also includes a tip from Negulescu–not specific to IPMI interfaces–which suggests adding a password to the GRUB bootloader. Doing so will make it more difficult, if not impossible, to reboot into single user mode from the IPMI remote console.
To know more about this news in detail head over to Bleeping Computers’ complete coverage.