[HostCram] Junglesec Ransomware - 9 Linux VMs are affected (Backup your data) - Ryzen 7000

Just cross-posting this from @Shakib at the OGF:

Hey,

Just found out one of our node is affected by Junglesec Ransomware and as per my count 9 Linux VMs were affected and Windows VMs are still safe from it (probably).

Requesting everyone who is using our Ryzen 7000 VMs to backup their data while we do the same for everyone.

Sorry for the inconveniences. Additional updates will be provided though emails.

Thanks for being with us.

Comments

  • AuroraZeroAuroraZero ModeratorHosting Provider

    Unless the backup was from before the infection of the VM that is useless now. The backup will also be infected. They need to find out when it happened.

    Thanked by (2)Freek Shakib

    Free Hosting at YetiNode | Cryptid Security | URL Shortener | LaunchVPS | ExtraVM | Host-C | In the Node, or Out of the Loop?

  • skorousskorous OGSenpai
    edited November 19

    @AuroraZero said:
    Unless the backup was from before the infection of the VM that is useless now. The backup will also be infected. They need to find out when it happened.

    Well some data could be okay, right? I mean, if I did a mysqldump on my database that data would likely be fine. Could never trust any binary of that system obviously but some things would be salvageable.

    EDIT: Note, I'm not affected. I'm speaking in the abstract.

    Thanked by (1)Shakib
  • AuroraZeroAuroraZero ModeratorHosting Provider

    @skorous said:

    @AuroraZero said:
    Unless the backup was from before the infection of the VM that is useless now. The backup will also be infected. They need to find out when it happened.

    Well some data could be okay, right? I mean, if I did a mysqldump on my database that data would likely be fine. Could never trust any binary of that system obviously but some things would be salvageable.

    EDIT: Note, I'm not affected. I'm speaking in the abstract.

    Analysis would have to be performed to see how far the actual infection goes. If it is a full blown deep infection then I wouldn't trust the dump even.

    IMO this is why incremental backups of at least two revolving, meaning oldest is wiped before the new one is taken is important. If you can't pinpoint the infection date then use the oldest backup after it is checked for abnormalities.

    Thanked by (2)skorous Shakib

    Free Hosting at YetiNode | Cryptid Security | URL Shortener | LaunchVPS | ExtraVM | Host-C | In the Node, or Out of the Loop?

  • edited November 19

    Could someone explain the attack vector here. As far as I understand, they got access to IPMI. Is that essentially allowing access to the console? So they would then reboot the server and then boot into something like init=/bin/bash to get root access on the machine? So something as simple as setting a password in grub that would prevent booting into anything other then the predefined menu entries would have already avoided it?

    Thanked by (2)Not_Oles Shakib
  • MikeAMikeA Hosting ProviderOG

    Since it's ransomware my assumption is they're using the IPMI vulnerability to run something on that which spread over the interface/network to the VMs. But I have no idea, just a guess!

    Thanked by (1)Shakib
  • AdvinAdvin Hosting Provider
    edited November 19

    @MikeA said:
    Since it's ransomware my assumption is they're using the IPMI vulnerability to run something on that which spread over the interface/network to the VMs. But I have no idea, just a guess!

    From the report a few years ago on the ransomware group, it seems that they are mounting all of the VPS disks and then encrypting every file on the VPS disks as well. That explains why VPS files have the ransom notice.

    Thanked by (1)Shakib

    I am a representative of Advin Servers

  • MikeAMikeA Hosting ProviderOG

    @Advin said:

    @MikeA said:
    Since it's ransomware my assumption is they're using the IPMI vulnerability to run something on that which spread over the interface/network to the VMs. But I have no idea, just a guess!

    From the report a few years ago on the ransomware group, it seems that they are mounting all of the VPS disks and then encrypting every file on the VPS disks as well. That explains why VPS files have the ransom notice.

    Simpler than I would have thought.

    Thanked by (1)Shakib
  • @MikeA said:

    @Advin said:

    @MikeA said:
    Since it's ransomware my assumption is they're using the IPMI vulnerability to run something on that which spread over the interface/network to the VMs. But I have no idea, just a guess!

    From the report a few years ago on the ransomware group, it seems that they are mounting all of the VPS disks and then encrypting every file on the VPS disks as well. That explains why VPS files have the ransom notice.

    Simpler than I would have thought.

    Yes... but first you need to get root access to the host machine. And to do that you need to use the IPMI vulnerability, but the host also needs to have a completely insecure boot manager that lets you boot into something like init=/bin/bash. Sadly, that seems to be the default these days.

    I have just had a quick look at the default Ubuntu install, and it's not even that simple to set a password for grub such that it still boots the default entry without a password, but requires a password when trying to edit the command line before booting. Maybe that's something that really should change as well?

    Thanked by (1)Shakib
  • AdvinAdvin Hosting Provider

    @cmeerw said:

    @MikeA said:

    @Advin said:

    @MikeA said:
    Since it's ransomware my assumption is they're using the IPMI vulnerability to run something on that which spread over the interface/network to the VMs. But I have no idea, just a guess!

    From the report a few years ago on the ransomware group, it seems that they are mounting all of the VPS disks and then encrypting every file on the VPS disks as well. That explains why VPS files have the ransom notice.

    Simpler than I would have thought.

    Yes... but first you need to get root access to the host machine. And to do that you need to use the IPMI vulnerability, but the host also needs to have a completely insecure boot manager that lets you boot into something like init=/bin/bash. Sadly, that seems to be the default these days.

    I have just had a quick look at the default Ubuntu install, and it's not even that simple to set a password for grub such that it still boots the default entry without a password, but requires a password when trying to edit the command line before booting. Maybe that's something that really should change as well?

    If you have access to IPMI, you could boot into a rescue ISO and do whatever you want. As far as I know, the boot manager wouldn't really do much of anything. Think of IPMI basically giving you a display and keyboard for the server, including access to the BIOS.

    Thanked by (1)Shakib

    I am a representative of Advin Servers

  • ShakibShakib Hosting Provider
    edited November 22

    We have assigned everyone affected a new VPS with 6 months free service as compensation.

    Also helping with restoring their data on their new VPS.

    We did decrypt one VM but the database is mostly unusable. I don't think full decryption is possible.

    HostCram LLC - Web Hosting Built For Speed, Reliability, Security & Uptime! [We operate AS39618]

Sign In or Register to comment.