New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
JungleSec Ransomware
Just posting this for the community's awareness in light of the recent incidents that have impacted servers at some of our providers.
Personally, I don’t have much information, or know how widespread this might be, but if anyone does, please feel free to share and discuss it here.
To the providers with IPMI on public IPs, now would be a good time to conduct an audit on your servers and implement stronger security measures.
Remember, security is everyone's responsibility, so if you or your customers' servers are affected, or at risk, it's important to work together to secure your environment.
Comments
https://helpdesk.kaseya.com/hc/en-gb/articles/4407512513425-JungleSec-Ransomware-via-IPMI
So it is allready know since 2018
It's someone new only attacking ASRock public IPMI for now.
Remove all users including administrator from your IPMI. Keep admin only.
Better to pull off your IPMI Ethernet cable for now.
Yes, there was also an article published on Bleeping Computer about this, back in 2018.
https://www.bleepingcomputer.com/news/security/junglesec-ransomware-infects-victims-through-ipmi-remote-consoles/
Is public Promox VE alsp consider insecure? one of LET provider support give me Promox VE account (which only have access my VPS) when I tried to tell them about their noVNC was borked.
After this incident I just little worried to make sure provider do good meansure security so this not gonna be happen.
I know backup was my responblity, but any oopsie from provider and time I spend on re-deploy wasnt good at all.
So the attacker kinda confirmed me that he is attacking and were able compromise Asrock IPMI only for now.
If i im able to identify the azzhole attacker, i will pull his head off. Lowlife parasite of society. Net negative and should be eliminated.
Just to be clear: did they use a known (unpatched) vulnerability, a misconfiguration (including default passwords), brute-forced the password, or used a new vulnerability to get access?
No only IPMI systems are affected
yikes
plain text what @DP posted is reminding to not leave admin/admin as user/pass.
[email protected]
so wild
The 0.037 BTC ransom equals 25,000 CNY.
You should email them and ask if the offer includes a date with Winnie-the-Pooh.
It's been safe for last 10 years. As long as you use a very complex password and firewall properly.
He is using administrator user to login.
It's completely ASRock's fault. They didn't remove the administrator user from their IPMI firmware that was given to them from AMI as MegaRAC SP-X firmware.
Everyone should start emailing ASRock about this. Make them pay.
My Gigabyte and Supermicro IPMI doesn't have this vulnerability.
Mentally strong people unplug IPMI.
We put on a noise cancelling headset and manage the server with VGA monitor + PS/2 keyboard just like the old days.
I will detail how I solved this problem by having physical access to the servers and the switch that connects them to the Internet:
In this way, any proxmox node has access to the iLOs of the other servers.
This ensures fast debugging if the OS of a node is not accessible via SSH, while only the other nodes in the same cluster can test the credentials.
I hope the above ideas help those who need it!
It is probably worth mentioning that SSH on nodes can only be done with a private key and at the proxmox interface level we have fail2ban which will block any bruteforce attempt after only 3 tested user/password combinations.
Thanks for heads up! I just kinda concern support just give me promox credentials out of nowhere for access VNC and see thread at same time, but I looks fine at least.
Conceptually that is every bit as bad as public IPMI, but it’s not relevant to this specific junglesec threat
Wow.
I am very concerned that such providers even exist.
They do, and one is even a top host. Imagine the state of smaller/less popular ones.
Wow which top host? Gc?
Do you know if ASRock released a firmware update to resolve this, or have they just ignored the issue?
I couldn't find their firmware release notes anywhere, but it seems the attack vector is CVE-2022-40242, (which was first reported in 2022), and patched by GIGABYTE in March this year:
https://www.gigabyte.com/Support/Security/2151
Yes
ASRock didn't. I am already on their latest firmware.
Well.. AsRock and Gigabyte were always late on security stuff....
Supermicro has many vulnerabilities in IPMI, I recommend checking them out at the following links.
https://www.supermicro.com/es/support/security_BMC_Dec_2023
https://www.supermicro.com/es/support/security_BMC_IPMI_Oct_2023
https://www.supermicro.com/es/support/security_center#!advisories
not necessarily, but in my opinion having public pve especially with untrusted users having accounts is too close for comfort.
nothing really wrong with it assuming root and the other user accounts have really good passwords, the user accounts expire before that vmid is assigned to someone else, there's some kind of rate limiting, and there's no vulnerability in your version of pve
I am sorry, but no. Having IPMI exposed to the public internet is negligent, and no one should do that. Avoiding it has been basic common sense for a very long time, but unsurprisingly some providers did not get the memo until they were hacked.
Providers who missed this are unfit to maintain secure infrastructure for many reasons, like not being able to perform reasonable risk assessments and reasonable security choices when deploying their hardware.
I mean, supermicro had an exploit all those years ago where they had an open port that would leak the ADMIN password. You literally would netcat it, give it a command, and it'd dump it.
As @Nyr said, having IPMI on the public WAN is fucktarded. There's no excuse for it. It's easy enough to put together automated wireguard profiles with some firewalling to stop LAN chatter.
Francisco
This is how we were compromised.
x.x.x.x Administrator:superuser123!
ASRock shouldn't have Administrator user in their IPMI firmware with superuser123! as password. It could be hacked even if the IPMI was in LAN with shared VLAN+VPN with other clients within the same IPMI network.
Edit: I never knew that Administrator user was active/usable until yesterday. I guess no one did.
Oh man, so this isn't so much about exploit of code but rather a default user pass issue? That's such a bummer because if it was documented, a lot of losses could have been avoided. Thanks to all of you for pointing this out.