file-encrypting Trojan

taich

taich

Member
Aug 15, 2020
110
15
23
64
I discovered a file-encrypting Trojan that encrypted a hole proxmox 6.4 server.
I have no idea how this can happen since nobody does ever physical work on the proxmox console.
 

Installing JungleSec through IPMI

In conversations between BleepingComputer and two victims it was discovered that attackers installed the JungleSec ransomware through the server's IPMI interface. In one case, the IPMI interface was using the default manufacturer passwords. The other victim stated that the Admin user was disabled, but the attacker was still able to gain access through possible vulnerabilities.

Once the user gained access to the servers, which in both of these cases were Linux, the attackers would reboot the computer into single user mode in order to gain root access. Once in single user mode, they downloaded and compiled the ccrypt encryption program.
Click to expand...
Did you always update your IPMIs firmware?
 
Last edited:
Dunuin said:
Did you always update your IPMIs firmware?
Click to expand...

Maybe this can explain the infection.

Do you have PBS (Proxmox Backup Server) for recover the VMs?
We have customers with a PBS and backups every hour for minimize the consequences of infections like this.
 
The mainboard is a supermicro 2 years old with latest firmware. The default password was changed but may be was brute force hacked.
Fortunately we do have a full backup and do not need to pay ransom of 0.4 BTC.

In the future we wont expose IPMI to the internet any more.
 
tjk said:
NEVER expose IPMI to the Internet, never ever ever.
Click to expand...
I agree with this, exposing IPMI to the internet is like leave your home's door open all the time.
It is better access IPMI using a VPN.
 
taich said:
The mainboard is a supermicro 2 years old with latest firmware. The default password was changed but may be was brute force hacked.
Fortunately we do have a full backup and do not need to pay ransom of 0.4 BTC.

In the future we wont expose IPMI to the internet any more.
Click to expand...

unfortunately IPMI security isn't in a good state, as the others have suggested it's better to access it over a VPN or similar.

make sure you also close udp port 623 for BMC Remote Management Control Protocol (RMCP) and not only the user interface of the IPMI (SSH can be a target as well if that is enabled)

it's likely that they gathered your IPMI HMAC hash (if they can guess your username, most cases this is left default or easily guessable like 'admin' or 'root') [0] and cracked it offline...

but at least you had backups :)

[0]: http://fish2.com/ipmi/remote-pw-cracking.html
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back