Ransomware via unsecure/default IPMI
- Thread starter nthu9280
- Start date
Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.
Do you think most people affected by this are seeing this as the point of entry? I would like to think that the ipmi interfaces are not publicly exposed, so the point of entry must have been some other exploit on to a machine local to the network where the ipmi is exposed, no?
I think we would all like to think that, but it's basically the same story for any remote protocol; if someone can put it directly accessible on the 'net, someone will do exactly that.
Don't get me started on UPnP...
Big companies and universities that own large public IP ranges use them internally. I doubt they were publicly routable... Although considering someone went to the trouble of making this ransomware, maybe.
Good guess and of course as you mention many organizations do that. Not this one. They replaced their old servers with new ones with the same IPMI addresses...
I did send them an email but never heard back. Hopefully they weren't impacted by ransomware, but they sure weren't making it difficult.
You IPMI setup does not need to be public facing to be affected. Think of SQL Slammer and similar worms back in the day (yes I am old..ish), those systems were not publicly accessible (well some were, there is always that outlier crowd of stupid people who put everything on the internet....).
More than likely, the targets are people who open attachments, or download random crap from places they shouldn't on their work systems, at which point they are inside the network and all is lost in a poorly segmented network.
I am an IT Security Specialist, I do pentesting and audits.. you would be surprised by how many systems I have seen on random regular non ACLd or firewalled networks... on top of that.. on at least 2 occasions in the last 10 years (which is 2 too many), I found switches bridging secure and unsecure networks with default cisco/cisco authentication because the contractor was lazy and did not want to walk the 5 min between datacenter zones.
Then there are major entities who's entire security infrastructure and much of its network infrastructure on generic lans accessible by all.
On the brightside.. as long as people make malware.. I'll be comfortably employed
More than likely, the targets are people who open attachments, or download random crap from places they shouldn't on their work systems, at which point they are inside the network and all is lost in a poorly segmented network.
I am an IT Security Specialist, I do pentesting and audits.. you would be surprised by how many systems I have seen on random regular non ACLd or firewalled networks... on top of that.. on at least 2 occasions in the last 10 years (which is 2 too many), I found switches bridging secure and unsecure networks with default cisco/cisco authentication because the contractor was lazy and did not want to walk the 5 min between datacenter zones.
Then there are major entities who's entire security infrastructure and much of its network infrastructure on generic lans accessible by all.
On the brightside.. as long as people make malware.. I'll be comfortably employed