Tag Archives: ransomware

RDP – the gift that keeps on giving

It’s long been known (at least in security circles) that the RDP protocol, as well as client and server implementations, are horribly broken. While a BlueKeep (the most recent RDP vulnerability) worm has yet to surface, brute-force password attacks on RDP services are a dime a dozen and occurring at a rapid rate.

PoC code is available for DoS attacks and limited RCEs on BlueKeep, and while attacks in the wild have yet to be seen, this is a case of when rather than if.

A recent honeypot test with 10 RDP servers across the world, resulted in the 1st service being identified in 1m30sec. There were 4.3 million login attempts on these honeypots with a logarithmically increasing rate over a period of a month, after which the test was ended.

There are 2 critical security issues that are currently being used with RDP attacks:

  • ransomware
  • cryptomining

Both of these security issues have a prominent financial incentive for the attackers, and with a typically low-cost/effort attack, these are seeing widespread use.

At least 5 malware families are being used for ransomware attacks at the moment including Ryuk, a very destructive piece of malware (municipal services in the US are being infected at e rapid rate), that is generally distributed through Trickbot with spam email or the Emotet download trojan. Powershell is a common tool used by Trickbot to infiltrate targets and install Ryuk …

Brute-password attacks remain an effective method for infiltration as well purely due to the use of poor password choices amongst RDP machine operators/admins, even in the face of decades of user education. The lack of security controls on RDP by Microsoft is also an issue – a simple 2FA/OTP or PKI requirement would stop this issue dead in its tracks. But admins are resistant against changes because any additional security would impact the ease of use of RDP (and other access mechanisms).

So if RDP is so bad, why is it sill seeing significant use with direct exposure to the internet?

  • poor security practices
  • inexperienced/unskilled/lazy administrators
  • bad firewall configurations
  • plain old ignorance

Until RDP is replaced or improved, the buck stops with administrators though. They can lessen their company’s exposure to attack by using Remote Desktop Gateway and enabling multi-factor authentication. While effective against credential harvesting, this still leaves RDP servers exposed to zero-day exploits or unpatched vulnerabilities such as BlueKeep.

VPNs should be used for secure remote access before RDP is available – this removes public exposure of RDP completely and significantly increases the complexity for attackers in using this service to distribute malware.

Administrators can further harden their machines against credential harvesting by not allowing domain administrators to log in via RDP; enabling RDP for only the people who need it; securing idle accounts; rate-limiting or capping the number of password retries each user is allowed; and strength testing users’ passwords.

RDP should not be directly exposed to the Internet. At all. Simple. Don’t do it.

A little bit of ransomware with that Sauerkraut?

This past weekend’s shenanigans with WannaCry have been painful for many people. But the simple fact is that solutions for this specific issue ( and many others ) have been available for a long time.

The initial patch for the MS17-101 issue was released by Microsoft in March 2017. Didn’t update?

Many AV vendors have had virus definitions for WannaCry for some time already and at latest, on Friday evening. Don’t have ( updated ) AV?

Have an office  internet connection without a decent firewall?

Still running XP or Vista without extended support?

No 3-tier backups?

The only one to blame is yourself …

IT seems to be treated as an afterthought at many companies. Yet it is IT that helps facilitates your business and income.

Thom from OsNews says:

“Nobody bats an eye at the idea of taking maintenance costs into account when you plan on buying a car. Tyres, oil, cleaning, scheduled check-ups, malfunctions – they’re all accepted yearly expenses we all take into consideration when we visit the car dealer for either a new or a used car.

Computers are no different – they’re not perfect magic boxes that never need any maintenance. Like cars, they must be cared for, maintained, upgraded, and fixed. Sometimes, such expenses are low – an oil change, new windscreen wiper rubbers. Sometimes, they are pretty expensive, such as a full tyre change and wheel alignment. And yes, after a number of years, it will be time to replace that car with a different one because the yearly maintenance costs are too high.

Computers are no different.”

It’s time to put some effort into your IT – especially if you value your data and your business. It may be a difficult pill to swallow, but it’s a necessary one.

Office365 Ransomware attack

There is a massive ransomware attack targeting Office365 users at the moment. Originating on the 22nd of this month, the attack used phishing emails to distribute the Cerber ransomware, which encrypts users’ files and demands a ransom to decrypt the files.

Cerber was widely distributed after its originator was apparently able to easily confirm that the virus was able to bypass the Office 365 built-in security tools through a private Office 365 mail account.

Microsoft started blocking the ransomware just over 24 hours after the attack was first launched, but in the meantime, researchers estimate that approximately 57 percent of all organizations using Office 365 received at least one email delivering the malware.

Security Awareness Training remains one of the most effective tools organisations have against these types of attacks and is a highly recommended method of improving security.