A Ransomware variant called JungleSec was recently exposed by BleepingComputer. The ransomware (first reported in early November) was found to be affecting Windows, Mac and largely Linux servers through the unsecured IPMI (Intelligent Platform Management Interface) cards.
It is still not very clear as to why Linux servers seem to be the most affected by the ransomware. Linux’s dominance in the server market is being cited as one of the reasons here.
BleepingComputer said it reached out to a number of victims whose Linux servers were infected with the ransomware. They all asserted that attackers infected their servers through poorly configured IPMI devices.
The report details attack of two such victims: “In one case, the IPMI interface was using the default manufacturer passwords. The other victim stated that the Admin user was disabled, but the attacker was still able to gain access through possible vulnerabilities.
Once the user gained access to the servers, which in both of these cases were Linux, the attackers would reboot the computer into single user mode in order to gain root access. Once in single user mode, they downloaded and compiled the ccrypt encryption program.”
How to Secure your IPMI?
In order to secure your IPMI interface, the first tip is to immediately change the default password like Admin/Admin, which has come from the manufacturer.
Another suggestion is to add a password to the GRUB bootloader as it is likely to make it more difficult to reboot into single user mode from the IPMI remote console, the report added.