[HostCram] Junglesec Ransomware - 9 Linux VMs are affected (Backup your data) - Ryzen 7000
Just cross-posting this from @Shakib at the OGF:
Hey,
Just found out one of our node is affected by Junglesec Ransomware and as per my count 9 Linux VMs were affected and Windows VMs are still safe from it (probably).
Requesting everyone who is using our Ryzen 7000 VMs to backup their data while we do the same for everyone.
Sorry for the inconveniences. Additional updates will be provided though emails.
Thanks for being with us.
Comments
Unless the backup was from before the infection of the VM that is useless now. The backup will also be infected. They need to find out when it happened.
Free Hosting at YetiNode | Cryptid Security | URL Shortener | LaunchVPS | ExtraVM | Host-C | In the Node, or Out of the Loop?
Well some data could be okay, right? I mean, if I did a mysqldump on my database that data would likely be fine. Could never trust any binary of that system obviously but some things would be salvageable.
EDIT: Note, I'm not affected. I'm speaking in the abstract.
Analysis would have to be performed to see how far the actual infection goes. If it is a full blown deep infection then I wouldn't trust the dump even.
IMO this is why incremental backups of at least two revolving, meaning oldest is wiped before the new one is taken is important. If you can't pinpoint the infection date then use the oldest backup after it is checked for abnormalities.
Free Hosting at YetiNode | Cryptid Security | URL Shortener | LaunchVPS | ExtraVM | Host-C | In the Node, or Out of the Loop?
Could someone explain the attack vector here. As far as I understand, they got access to IPMI. Is that essentially allowing access to the console? So they would then reboot the server and then boot into something like
init=/bin/bash
to get root access on the machine? So something as simple as setting a password in grub that would prevent booting into anything other then the predefined menu entries would have already avoided it?Since it's ransomware my assumption is they're using the IPMI vulnerability to run something on that which spread over the interface/network to the VMs. But I have no idea, just a guess!
ExtraVM
From the report a few years ago on the ransomware group, it seems that they are mounting all of the VPS disks and then encrypting every file on the VPS disks as well. That explains why VPS files have the ransom notice.
I am a representative of Advin Servers
Simpler than I would have thought.
ExtraVM
Yes... but first you need to get root access to the host machine. And to do that you need to use the IPMI vulnerability, but the host also needs to have a completely insecure boot manager that lets you boot into something like
init=/bin/bash
. Sadly, that seems to be the default these days.I have just had a quick look at the default Ubuntu install, and it's not even that simple to set a password for grub such that it still boots the default entry without a password, but requires a password when trying to edit the command line before booting. Maybe that's something that really should change as well?
If you have access to IPMI, you could boot into a rescue ISO and do whatever you want. As far as I know, the boot manager wouldn't really do much of anything. Think of IPMI basically giving you a display and keyboard for the server, including access to the BIOS.
I am a representative of Advin Servers
https://lowendtalk.com/discussion/199635/all-my-dedi-infected-with-junglesec-ransomware-from-fiberstate-colo#latest
welp?
Haven't bought a single service in VirMach Great Ryzen 2022 - 2023 Flash Sale.
https://lowendspirit.com/uploads/editor/gi/ippw0lcmqowk.png
We have assigned everyone affected a new VPS with 6 months free service as compensation.
Also helping with restoring their data on their new VPS.
We did decrypt one VM but the database is mostly unusable. I don't think full decryption is possible.
HostCram LLC - Web Hosting Built For Speed, Reliability, Security & Uptime! [We operate AS39618]