'Lazy' Hackers Exploit Microsoft RDP To Install Ransomware

An anonymous reader writes: An investigation by Sophos has uncovered a new, lazy but effective ransomware attack where hackers brute force passwords on computers with [Microsoft's] Remote Desktop Protocol enabled, use off-the-shelf privilege escalation exploits to make themselves admins, turn off security software and then manually run fusty old versions of ransomware.
They even delete the recovery files created by Windows Live backup -- and make sure they can also scramble the database. "Because they've used their sysadmin powers to rig the system to be as insecure as they can, they can often use older versions of ransomware, perhaps even variants that other crooks have given up on and that are now floating around the internet 'for free'."

Most of the attacks hit small-to-medium companies with 30 or fewer employees, since "with small scale comes a dependence on external IT suppliers or 'jack-of-all-trades' IT generalists trying to manage cybersecurity along with many other responsibilities. In one case a victim was attacked repeatedly, because of a weak password used by a third-party application that demanded 24-hour administrator access for its support staff."

Article is a little late

We had to close all direct RDP ports over the last year because people were getting locked out due to brute force attacks. A few customers with lazy passwords actually were compromised. Holy shit did we run into a lot of angry users that wanted us to open their direct ports back up because the terminal server gateway icon was a little slower to set up and the connection takes a bit longer to establish. We even had one set go to obscure user names so they'd never be locked out.

Re:Article is a little late

This is on you. Learn your shit. There are a ton of things you can do to set things up right.

Re:Article is a little late

[TheRealMindChild]

They shouldn't have been exposed to the internet in the first place. Have anyone who wants to connect to a machine on the lan/wan connect to the network via VPN first

Re:Article is a little late

LOL @ ransomware.

Only idiots who don't keep backups worry about that shit.

Re:Article is a little late

[Bert64]

Shows the flaws of account lockouts if they permit someone to launch such a trivial denial of service against your organisation.

Re:Article is a little late

[s0nspark]

They shouldn't have been exposed to the internet in the first place. Have anyone who wants to connect to a machine on the lan/wan connect to the network via VPN first

You are assuming there IS a VPN, though and in many smaller organizations that is not the case.

"Jack-of-all-trades"

This "jack-of-all-trades" puts to shame the "experts" that come in to consult us.

"Ohh yeaahh.. we can just do a compensating control for that, no problem." - expert opinion

Re: "Jack-of-all-trades"

Ohh please. It's not as though I don't agree that there are plenty of money grubbing idiots out there willing to consult for quick cash, but people are generally best at what they do on a daily basis.

So if your in meetings, then setting up VMWare and iSCSI, then playing with Cisco Call Manager, then changing some ASA ports, then setting up a pair of Cisco 5696Qs in a VPC, then adding an Avocent UMG 6000 and adding IPMI to track power whip usage, then configuring databases to support solarwinds, and configuring solarwinds - then come Friday you might have missed the 0 day exploit that lets someone in your network.

The point is that small organizations don't usually allow for specialization of duties, and that means less brains working on different aspects of IT.

No one can do it all, it's similar to medicine - no doctor does all parts. It takes about 250 specialists to comprise all aspects of medicine, and that number is increasing daily.

Re: "Jack-of-all-trades"

The problem isn't specialization -- it's resources and time. Getting said resources come from policy.

Re: "Jack-of-all-trades"

[geekmux]

The point is that small organizations don't usually allow for specialization of duties, and that means less brains working on different aspects of IT.

The additional expense of maintaining staff or services that mitigate the risk of your business getting ass-raped by malware is either worth it to a business owner, or it's not. Small organizations that choose the latter usually become victims. Fuck 'em if they can't learn from best practice.

No one can do it all, it's similar to medicine - no doctor does all parts. It takes about 250 specialists to comprise all aspects of medicine, and that number is increasing daily.

See? There are areas of business that value risk mitigation. 250 specialists exist because when someone in medicine tries to "do it all", it usually ends with a wrongful death lawsuit. Medicine was forced to learn the value of specialists, much like ignorant small business owners are doing today.

In the ass

[F.Ultra]

[quote]In one case a victim was attacked repeatedly, because of a weak password used by a third-party application that demanded 24-hour administrator access for its support staff[/quote] Why does some companies put up with shit like this and repeatedly?

Re:In the ass

Two obvious possibilities.

1. The company's staff are idiots.
2. Someone's getting a kickback.

I've seen both, often.

Re:In the ass

[Bert64]

There needs to be accountability for third party vendors who insist on insecure configurations like this...
The trouble is most of their customers don't have the knowledge in house to realise how insecure it is. I've encountered a few vendors who made ridiculous demands like this and their response has always been "but our other customers dont have a problem".

They want 24/7 RDP or VNC access direct from the internet, won't use a vpn (which to be fair, having 100 clients each using a different vpn technology becomes very painful), use weak passwords and won't even supply a fixed source address that the connection would come from. And then the system they want access to won't be isolated from anything else, so it provides a trivial route into the network.

Re:In the ass

[F.Ultra]

But still, letting 3d party full access to your servers/infrastructure must sound off some alarms at even "stupid company"?

I often face the opposite problem, which is that if the customer would just open a temporary ssh or rdp session then I could quickly fix a problem that they themselves struggle for weeks on end to solve. That or IT departments that refuse to open ports in their FW because they made their decision back in 1975 on which protocols to allow. But then banks/finance is a conservative industry.

Re:In the ass

[slashrio]

This isn't arstechnica.com where you indeed [quote]like this.[/quote]

Re:In the ass

[F.Ultra]

Yep, saw that, posted via the mobile at that time however and there is no preview there...

Re:In the ass

[slashrio]

Oh, ic

"Lazy" hackers?

[SCVonSteroids]

You're either a hacker or you're not.

What the article talks about isn't hacking. It's using what actual hackers have made/found to maliciously exploit software for their own purposes/enjoyment.
I don't practice hacking, but I have a pretty deep respect for the actual hackers. Most of the time the when the mainstream media uses the term, they're referring to script kiddies.

It shouldn't have to be repeated on a site like this that hacking isn't necessarily malicious by definition.

since "with small scale comes a dependence on external IT suppliers or 'jack-of-all-trades' IT generalists trying to manage cybersecurity along with many other responsibilities.

Not just the small scale businesses have this issue as we tend to see time and time again in the news...

Re:"Lazy" hackers?

The hackers hacked their way in and then held files for ransom. You'll still be flogging this horse on your deathbed, give it up already.

Re:"Lazy" hackers?

[duke_cheetah2003]

Most of the time the when the mainstream media uses the term, they're referring to script kiddies.

Alas, we do not get to decide what terms stick and which ones do not. Like it or not, "Hackers" is a negative label, they are seen as criminals, end of story. "Script kiddies" never caught on the mainstream, if you use that, 99% of people won't know what you're talking about.

I believe the current euphemism for "good guy hackers" is "Security Analyst" or whatever other euphemism you wanna pick. They're not hackers anymore, those are the bad guys.

Re:"Lazy" hackers?

[Altrag]

I'm pretty sure there is no real euphemism for "good guy hackers," at least in the mainstream. The hacking community itself of course has whatever labels ("white hat" vs "black hat" or you still occasionally see "hacker" vs "cracker" or whatever.) But the mainstream doesn't really care about a guy who's legitimately hired to do penetration testing and doesn't exploit the weaknesses he finds, so they don't really need a common term for the role.

I used RDP ...

[CaptainDork]

... and the firewall logs showed everybody and their uncle, from all over the world, trying to get in.

What I did was go to the registry and change the standard port from 3389 to the last 4 digits of our front office telephone and block 3389 inbound/outbound at the firewall.

Those with remote desktop privileges had to append the new port to the RDP request:

173.234.22.16:9182

That stopped that shit.

Re:I used RDP ...

[fph+il+quozientatore]

Thanks, I have noted down that number now.

--your friendly network neighbourhood hacker.

Re:I used RDP ...

[Antique+Geekmeister]

Switching the SSH port is helpful as well, if you expose port 22 at all to the outside world. So is blocking and forcing users to use specified, non-standard VNC ports: too many personnel at home use that to work their way around workplace password management. I've personally encountered too many IT personnel who slip past their own workplace access policies by slipping a VNC installation onto their most critical servers, so they can access it as needed or share on-site screens with offsite access.

When in a rush, and with permission of the relevant manager, I've personally installed VNC surreptitiously on a worksite host to see exactly who was doing what to the server while I was offsite. It allowed me to see that someone was surreptitiously modifying the system during the maintenance window, and get someone onsite to go look and see who was logged in to the console. The resulting discussion with their employer was unpleasant, but necessary.

Re:I used RDP ...

Uncle here. I will do the needful.

Re:I used RDP ...

[freeze128]

Don't make me quote Admiral Ackbar to you...

Re:I used RDP ...

[CaptainDork]

Thanks, I have noted down that you are gullible.

--your friendly network neighbourhood administrator.

Re:I used RDP ...

My experience with moving services to non-standard ports is that botnets scan slow and randomly nowadays and it only takes one hit to send a lot more drones after that service. There are still fewer attempts than when the service is on a standard port, but the remaining attacks appear more targeted and competent. Not much is gained, unless you run services with basic configuration problems that allow incompetent attackers a way in. The people who know what they're doing will find the non-standard port and keep it in their databases. The subsequent attacks come from all over the world.

Re:I used RDP ...

[duke_cheetah2003]

What I did was go to the registry and change the standard port from 3389 to the last 4 digits of our front office telephone and block 3389 inbound/outbound at the firewall.

This is a good idea. I personally never leave any sort of potentially hazardous service on a 'known' port. Never the default. Yeah, it's security via obscurity, but a little of that never hurts anything. Just be aware, a determined attacker can scan your ports and find where you moved it to. But it does defeat most of your run-of-the-mill cookie cutter hacking.

Moving services to non-default ports is a great way to fly under the radar of most simple attack vectors. But still, firewalls, isolation of outside connected computers, and other good security practices should still be in place. VPN's are also a very strong method of protecting 'hazardous' services, by making them inaccessable without using the VPN connection.. just another layer that has to be broken into to get anywhere.

Re:I used RDP ...

[140Mandak262Jamuna]

Those with remote desktop privileges had to append the new port to the RDP request:

173.234.22.16:9182

That stopped that shit.

Very clever, if that IP address points to your competitor or NSA.

Very dumb if it is really pointing to your own server.

Re:I used RDP ...

[CaptainDork]

Your points are well taken.

The RDP attacks, however, were simple (back then) and scripted.

It's sorta like having burglar bars.

Crooks will pass those up and look for easier targets.

Re:I used RDP ...

[CaptainDork]

Why would it be clever if it pointed somewhere else?

That does not get me in.

And, foreign (and even domestic) intruders don't bother looking for misdirected ports.

There are enough easy targets on 3389.

Re:I used RDP ...

[urbanriot]

foreign (and even domestic) intruders don't bother looking for misdirected ports.

This is horribly incorrect and I hope you're not responsible for putting production servers behind a 'misdirected port' as there are plenty of port scanners that will identify RDP, SSH, etc., on non-standard ports and will attempt to bruteforce them with common name dictionary attacks for the username and whatever it is they're doing with passwords.

I have an RDP honeypot setup on one of my home IPs so I can observe the behaviours of trojans, hackers, etc., and with my RDP hosted on a port higher than 10,000, I have a scrolling log of people attempting to get in. Within the past hour I have an IP from Russia in the 80.255.80.0/21 subnet, another IP in a smaller Islamabad educational subnet, and someone in a /24 Sweden network. There's plenty more but that's all I felt like looking up with an APNIC, LACNIC, and RIPE.

I don't disagree that changing the port will decrease the frequency by which you'll be polled considering that most of the trojans are specifically focused on port 3389. Furthermore, changing the port does nothing when a person is compromised by malware that pulls the information from HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default, of which there are plenty of infections that propagate via this method.

Opening up RDP on any port for any business server is grossly incompetent unless you have 2FA, and even then I'd rather have it behind a VPN.

Re:I used RDP ...

Eh, I just set my firewall to drop all packets that are not from addresses I would come from. China, nope; Russia, nope; Australia, nope; Comcast, nope; Sprint, maybe. Short of some sort of exploit in the firewall or a pro job from an individual or zombie proxy on the network, I'll be relatively fine and my SSH logs are a lot cleaner.

Re:I used RDP ...

[Bert64]

Switching SSH to require keys and to reject password auth helps a lot...Although some very stupid brute force scripts will keep trying and cause unnecessary load... Some scripts are even aggressive enough to dos the ssh service.

Re:I used RDP ...

[Antique+Geekmeister]

That can be a useful step. There are tradeoffs. I've had difficulty discouraging SSH users from storing passphrase keys locally, and on remote gateway hosts they wish to SSH _from_ in the field without bothering with ssh-agent.

Re:I used RDP ...

It was no problem for me to remember that number; it was the combination on my luggage!

Re:I used RDP ...

[Bert64]

I don't use ssh-agent, rather i use the ssh config to specify using another instance of "ssh -w" as a proxy in order to connect to specific hosts, that way the intermediary host is basically just used as a proxy and your local device still authenticates to the far host even if there are one or more intermediary hosts in the way.

So...

[DontBeAMoran]

Is that RDP thing on by default on Windows 10?

Re:So...

[Antique+Geekmeister]

No, it's not. But it's _very_ common to activate it foe personnel who use their more powerful desktop systems for telecommunication. It's also very standard to enable for Windows hosts in a machine room, unless you've the time and resources to set up a remote KVM or the hardware based remote consoles such as DRAC. Those hosts are often surprisingly vulnerable. The various security improvements of a server environment can be overwhelmed by the unwillingness to update, and reboot, production servers. It's also often overwhelmed by the need to support older software. I _still_ see critical XP systems in unprotected internal networks, used for legacy software or proprietary software for which an upgrade is very expensive.

Re:So...

The even more insecure "remote support" crap is activated by default.

3 ways to crack

[gurps_npc]

Correct me if I am wrong, but there are three basic ways to crack a password.

1) Brute force - the answer to this is long passwords and to have each password attempt take twice as long as the last. I.E. The second attempt after a failure waits 5 seconds. The third attempt takes 10 seconds, the fourth takes 20 seconds, etc. For password length you can use an md5 hash of a selected read -only file. If the system is set up right it will take less mouse clicks to do than the 8 keyboard clicks currently used

2) Social Engineering - the answer to this is a two factor token system, preferably a key fob rather than just using the phone which is easily lost, stolen, or compromised. Can easily be combined with the increasing time method above.

3) Password lists (either stolen or public). Outright forbid the 10,000 most common passwords and tell people that if they reuse the same password, they can be fired from their job and can not sue. Don't blame the company when the user is stupid.

Note that it is NOT a requirement to change the passwords often, as long as you obey the three requirements above, changing the password can be done once a year without affecting safety.

Re:3 ways to crack

[duke_cheetah2003]

Correct me if I am wrong, but there are three basic ways to crack a password.

You missed the most often used method: Find a broken service to exploit for code execution on the target. No passwords needed, system hacked.

Re:3 ways to crack

You missed the most often used method: Find a broken service to exploit for code execution on the target. No passwords needed, system hacked.

When in the content of the subject being discussed? No he didn't. Yes exploits were used for privilege escalation, but it wasn't for the initial intrusion into the system. I'd be interested to see how the latest protocol at the time of RDP stacks up to OpenSSH in terms of exploits (not even exploited, just patched befor publicly known).

Re:3 ways to crack

[vux984]

"2) Social Engineering - the answer to this is a two factor token system, preferably a key fob rather than just using the phone which is easily lost, stolen, or compromised. Can easily be combined with the increasing time method above."

According to my password safe I have over 100 passwords. Are you really advocating I cart around a wheelbarrow full of key fobs as the solution?

Never going to happen. NEVER.

And the worst part is that a fob doesn't even stop social engineering attacks.

"Hi Alice I'm Bob from IT, we're just just troubleshooting your login. Ok, I need your password, and ok, the 2 factor password as well. Perfect, that appears to working. Have a great day."

or a phishing attack... that likewise grabs both.

The only thing the use of the fob does is that I have to login in real-time to get into your account. And then once in I use some exploit to escalate, i set up my backdoor, or do my evil thing, or whatever. But I have to do it in real-time, since I won't be able to get in later with the original credentials. However, if I know you are using a fob, I design the attack for that.

So fobs do add some security but they don't "solve" the problem.

biometrics can in theory solve the problem (becoming your 'username'); alongside a password, but the devil is in the implementation, and biometrics suffer from other problems too.

Re:3 ways to crack

What are you protecting ?

Because those methods only work for your own homegrown systems.

Re:3 ways to crack

I don't like the idea of banning certain passwords. If you ban the 10k most common passwords, they'll cease being the most common ones, and a new 10k will take their place. Any rules at all just reduce the problem space.
I'd rather see a scheme where the password duration was linked to it's rated security. If you use 7 alpha-only characters it lasts a week, 8 alpha & numeric you get a month, etc.

I'd rather have people encouraged to use a good password, and get to keep it, than have people choose bad ones that barely fit the conditions (with an incrementing number tacked on).

Re:3 ways to crack

[Bert64]

Over a network biometrics have to be converted to digital data, basically a key or a hash which can be attacked in the normal ways.

Also once compromised, biometrics remain compromised forever...

Re:3 ways to crack

[houghi]

Number 3. Where I live you sure can tell people they can't sue, but that does not mean they can't sue. They could even sue you for telling them they can't sue.
Some places have rights that can not be taken away by a contract.
IT needs to realize that people are part of the security issue. Blaming them does not make anything safer.

I have so many logins and passwords that it would be unreasonable to have them all different. So I have 6
1. Most secure for my email as confirmations are send there
2. Most secure for my home logins as my email gets there
3. Very secure for my banks and credit companies
4. Normal secure for companies I buy stuff
5. Low security for all the rest
6. security that depends on the company I work at

Next to that I have my own domain with unlimited aliasses, so for 1 to 4, I use emails in the form of slashdot.org@example.com or bigbank.co.uk@example.net
That way I know:
1) If they sell my address or worse, got hacked
2) If they are the ones that send me mail.
Easy to filter and I won't fall for a sometimes very good fake email.

"Use a password manager" might be great for many, but not for me who often works on machines that are secure enough, but not my own.

Re:3 ways to crack

[vux984]

Over a network biometrics have to be converted to digital data, basically a key or a hash which can be attacked in the normal ways.

Yes. That's why I wrote there were implementation and other problems.

Also once compromised, biometrics remain compromised forever...

That's only a problem if you use it as a 'secret password'. Its more like your username. And its value is not that it is a secret but that it is (ideally) difficult to forge.

Laziness

Laziness is expending insufficient effort to get substandard results.
If you're expending little effort but still getting results, you're efficient.

Account lockoit

DO NOT enable account lockout. It's a DOS waiting to happen.

Re: Account lockoit

Better lockout than hosed down.

Re: Account lockoit

Not really the result is he same.

Realsies

[JBMcB]

You're assuming it's not a honeypot?

V......P.....N

[Halster]

Oh for crying out loud people. Don't open RDP ports direct to the internet!

If the average Joe can use a VPN to pirate movies I should think YOU could use it to secure your damn network!

L8r.

Re:V......P.....N

[F.Ultra]

How else are they going to do get help to close those problems that the nice "Hello I'm calling from Windows" people with Indian accents detected?

Re:V......P.....N

[nnull]

I was wondering when someone was going to mention a VPN. What is so difficult in setting one up? People opening up their firewalls out in the open is asking for trouble. Granted, you get people trying to brute force your VPN just the same, but at least I can contain it (Auto Ban) and I know what it is.

Re:V......P.....N

[Altrag]

Setting up a VPN host is a lot more challenging than setting up a VPN client, unfortunately. I mean it probably doesn't have to be, but currently it is.

Part of the problem is Microsoft. There's a lot of VPN routers out there that have fairly easy VPN setups.. for IPSec-style VPNs only. And Windows doesn't easily support those out of the box. So you can setup PPTP (or L2TP or similar) client in Windows pretty easily, and you can setup IPSec in routers pretty easily. Neither really play well with the other though making for a pretty large disconnect in usability.

Of course there's always third party software to do all of that, but the ones I've run into have all been horrible in their own way as well. The only people who seem to want to make a user-friendly VPN system are the VPN service providers, but their clients are typically hardcoded specifically for their own services (and there's almost never a matching host-side package available anyway.)

VPN suggestions seem... no better?

[nyquil+superstar]

I see a bunch of comments suggesting that it's dumb to expose RDP to the internet, and if you had just used a VPN... But this isn't an RDP (which is encrypted) exploit... this is brute forcing the password. If you can brute force the RDP account, then why couldn't you brute force the VPN credentials?

Re:VPN suggestions seem... no better?

[nnull]

Nothing really stopping you from brute forcing a VPN and it does happen. However, you have less exploitable methods of getting into the system than opening random ports on your firewall for SSH or RDP. Then of course, anyone that allows their VPN to be brute forced is pretty stupid.

Re: VPN suggestions seem... no better?

[Brockmire]

Brute force a certificate? This is a job for IPBan.

Re: VPN suggestions seem... no better?

[nyquil+superstar]

Yeah, certificates seem like the best approach. If only they didn't suck so much to manage.

Re:VPN suggestions seem... no better?

[Bert64]

You'd setup up a VPN to use certs instead of passwords, which are much more difficult to brute force...
Even if you successfully got access to the VPN, you'd then only have access to the RDP port which means you now have a second target to attack, so it adds an extra line of defence. And hopefully a competent sysadmin would notice VPN logins from unexpected locations.

Crappy Account Lockout Policies != RDP Exploit

You mean not having halfway-decent account lockout policies means that brute-forcing can succeed? I'm shocked!

I bet the Equifax music major CISO had a better grasp of cybersec than this article author.

Re:Crappy Account Lockout Policies != RDP Exploit

[Bert64]

And if you have *ACCOUNT* lockout policies then you get a dos attack instead...

And brute force attacks can still succeed because you just try lots of usernames with a small number of the most common passwords.

Account lockouts are stupid, you want to block the source of the attack (as well as using stronger authentication than passwords on any externally facing system).

TFA is garbage

[Archon]

The only way an RDP session is being successfully initiated from outside your WLAN is if there's port forwarding setup on your router or you have a static IP direct to your computer. In nearly every other case, you're behind a NAT, which would allow you to initiate a RDP connection but not receive. On the router or firewall, remove any forwards and/or disable any sort of DMZ, and you're OK.

"Sophos security experts" aren't cited as saying anything about this, because of course, the recommended method of mediation is purchase and installation of their Sophos XG Firewall product. If whoever is responsible for your company doesn't already know this and can explain it to you, hire someone who does.

Re:TFA is garbage

Unless of course you HAVE NOT disabled Plug and Pray which opens port forwards automatically. The default configuration is to enable Plug and Pray on all hosts and network (especially crap consumer) devices.

Finally, Something Good About Windows Home

Just looked for Remote Desktop. In Windows 10 Home, it says it's unsupported and I should upgrade my copy of Windows if I want to allow or use it.

That's not to say that it couldn't be running anyway for MS to use ... need to crawl through the services.

Win10 Pro has it - so needs to be checked for whether it's active.

RdpGuard

[DigiShaman]

RDP Guard - It's expensive for what it does, but it does work. Essentially, it's just an anti-hammering app that tar-pits or blocks a public IP as a source from too many invalid logins. Those IPs are blocked at the Windows Firewall. Honestly, this functionality should have, and in fact, could be implemented in the Windows Server OS if MS so choose. It's trivial.

https://rdpguard.com/

Re:RdpGuard

[nyquil+superstar]

Nice find, thanks for sharing this.