'Lazy' Hackers Exploit Microsoft RDP To Install Ransomware (sophos.com)

← Back to Stories (view on slashdot.org)

'Lazy' Hackers Exploit Microsoft RDP To Install Ransomware (sophos.com)

Posted by EditorDavid on Sunday November 19, 2017 @04:10AM from the tele-presents dept.

An anonymous reader writes: An investigation by Sophos has uncovered a new, lazy but effective ransomware attack where hackers brute force passwords on computers with [Microsoft's] Remote Desktop Protocol enabled, use off-the-shelf privilege escalation exploits to make themselves admins, turn off security software and then manually run fusty old versions of ransomware.
They even delete the recovery files created by Windows Live backup -- and make sure they can also scramble the database. "Because they've used their sysadmin powers to rig the system to be as insecure as they can, they can often use older versions of ransomware, perhaps even variants that other crooks have given up on and that are now floating around the internet 'for free'."

Most of the attacks hit small-to-medium companies with 30 or fewer employees, since "with small scale comes a dependence on external IT suppliers or 'jack-of-all-trades' IT generalists trying to manage cybersecurity along with many other responsibilities. In one case a victim was attacked repeatedly, because of a weak password used by a third-party application that demanded 24-hour administrator access for its support staff."

49 of 72 comments (clear)

Min score:

Reason:

Sort:

In the ass by F.Ultra · 2017-11-19 04:36 · Score: 1

[quote]In one case a victim was attacked repeatedly, because of a weak password used by a third-party application that demanded 24-hour administrator access for its support staff[/quote] Why does some companies put up with shit like this and repeatedly?
1. Re:In the ass by Anonymous Coward · 2017-11-19 05:14 · Score: 1
  Two obvious possibilities.
  
  The company's staff are idiots.
  Someone's getting a kickback.
  I've seen both, often.
2. Re:In the ass by Bert64 · 2017-11-19 20:12 · Score: 2
  
  There needs to be accountability for third party vendors who insist on insecure configurations like this...
  The trouble is most of their customers don't have the knowledge in house to realise how insecure it is. I've encountered a few vendors who made ridiculous demands like this and their response has always been "but our other customers dont have a problem".
  They want 24/7 RDP or VNC access direct from the internet, won't use a vpn (which to be fair, having 100 clients each using a different vpn technology becomes very painful), use weak passwords and won't even supply a fixed source address that the connection would come from. And then the system they want access to won't be isolated from anything else, so it provides a trivial route into the network.
  
  --
  http://spamdecoy.net - free throwaway anonymous email - avoid spam!
3. Re:In the ass by F.Ultra · 2017-11-19 22:58 · Score: 1
  
  But still, letting 3d party full access to your servers/infrastructure must sound off some alarms at even "stupid company"?
  I often face the opposite problem, which is that if the customer would just open a temporary ssh or rdp session then I could quickly fix a problem that they themselves struggle for weeks on end to solve. That or IT departments that refuse to open ports in their FW because they made their decision back in 1975 on which protocols to allow. But then banks/finance is a conservative industry.
4. Re:In the ass by slashrio · 2017-11-19 23:23 · Score: 1
  
  This isn't arstechnica.com where you indeed [quote]like this.[/quote]
  
  --
  "Trump!!", the new Godwin.
5. Re:In the ass by F.Ultra · 2017-11-20 06:15 · Score: 1
  
  Yep, saw that, posted via the mobile at that time however and there is no preview there...
6. Re:In the ass by slashrio · 2017-11-21 00:06 · Score: 1
  
  Oh, ic
  
  --
  "Trump!!", the new Godwin.
"Lazy" hackers? by SCVonSteroids · 2017-11-19 04:38 · Score: 1

You're either a hacker or you're not.
What the article talks about isn't hacking. It's using what actual hackers have made/found to maliciously exploit software for their own purposes/enjoyment.
I don't practice hacking, but I have a pretty deep respect for the actual hackers. Most of the time the when the mainstream media uses the term, they're referring to script kiddies.
It shouldn't have to be repeated on a site like this that hacking isn't necessarily malicious by definition.

since "with small scale comes a dependence on external IT suppliers or 'jack-of-all-trades' IT generalists trying to manage cybersecurity along with many other responsibilities.
Not just the small scale businesses have this issue as we tend to see time and time again in the news...

--
I tend to rant.
1. Re:"Lazy" hackers? by duke_cheetah2003 · 2017-11-19 07:16 · Score: 1
  
  Most of the time the when the mainstream media uses the term, they're referring to script kiddies.
  Alas, we do not get to decide what terms stick and which ones do not. Like it or not, "Hackers" is a negative label, they are seen as criminals, end of story. "Script kiddies" never caught on the mainstream, if you use that, 99% of people won't know what you're talking about.
  I believe the current euphemism for "good guy hackers" is "Security Analyst" or whatever other euphemism you wanna pick. They're not hackers anymore, those are the bad guys.
2. Re:"Lazy" hackers? by Altrag · 2017-11-19 13:48 · Score: 1
  
  I'm pretty sure there is no real euphemism for "good guy hackers," at least in the mainstream. The hacking community itself of course has whatever labels ("white hat" vs "black hat" or you still occasionally see "hacker" vs "cracker" or whatever.) But the mainstream doesn't really care about a guy who's legitimately hired to do penetration testing and doesn't exploit the weaknesses he finds, so they don't really need a common term for the role.
I used RDP ... by CaptainDork · 2017-11-19 04:41 · Score: 1

... and the firewall logs showed everybody and their uncle, from all over the world, trying to get in.
What I did was go to the registry and change the standard port from 3389 to the last 4 digits of our front office telephone and block 3389 inbound/outbound at the firewall.
Those with remote desktop privileges had to append the new port to the RDP request:
173.234.22.16:9182
That stopped that shit.

--
It little behooves the best of us to comment on the rest of us.
1. Re:I used RDP ... by fph+il+quozientatore · 2017-11-19 04:52 · Score: 4, Funny
  
  Thanks, I have noted down that number now.
  --your friendly network neighbourhood hacker.
  
  --
  My first program:
  Hell Segmentation fault
2. Re:I used RDP ... by Antique+Geekmeister · 2017-11-19 04:57 · Score: 2
  
  Switching the SSH port is helpful as well, if you expose port 22 at all to the outside world. So is blocking and forcing users to use specified, non-standard VNC ports: too many personnel at home use that to work their way around workplace password management. I've personally encountered too many IT personnel who slip past their own workplace access policies by slipping a VNC installation onto their most critical servers, so they can access it as needed or share on-site screens with offsite access.
  When in a rush, and with permission of the relevant manager, I've personally installed VNC surreptitiously on a worksite host to see exactly who was doing what to the server while I was offsite. It allowed me to see that someone was surreptitiously modifying the system during the maintenance window, and get someone onsite to go look and see who was logged in to the console. The resulting discussion with their employer was unpleasant, but necessary.
3. Re:I used RDP ... by freeze128 · 2017-11-19 05:35 · Score: 2
  
  Don't make me quote Admiral Ackbar to you...
4. Re:I used RDP ... by CaptainDork · 2017-11-19 05:37 · Score: 1
  
  Thanks, I have noted down that you are gullible.
  --your friendly network neighbourhood administrator.
  
  --
  It little behooves the best of us to comment on the rest of us.
5. Re:I used RDP ... by duke_cheetah2003 · 2017-11-19 07:24 · Score: 1
  
  What I did was go to the registry and change the standard port from 3389 to the last 4 digits of our front office telephone and block 3389 inbound/outbound at the firewall.
  This is a good idea. I personally never leave any sort of potentially hazardous service on a 'known' port. Never the default. Yeah, it's security via obscurity, but a little of that never hurts anything. Just be aware, a determined attacker can scan your ports and find where you moved it to. But it does defeat most of your run-of-the-mill cookie cutter hacking.
  Moving services to non-default ports is a great way to fly under the radar of most simple attack vectors. But still, firewalls, isolation of outside connected computers, and other good security practices should still be in place. VPN's are also a very strong method of protecting 'hazardous' services, by making them inaccessable without using the VPN connection.. just another layer that has to be broken into to get anywhere.
6. Re:I used RDP ... by 140Mandak262Jamuna · 2017-11-19 08:44 · Score: 1
  
  Those with remote desktop privileges had to append the new port to the RDP request:
  173.234.22.16:9182
  That stopped that shit.
  Very clever, if that IP address points to your competitor or NSA.
  Very dumb if it is really pointing to your own server.
  
  --
  sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
7. Re:I used RDP ... by CaptainDork · 2017-11-19 11:47 · Score: 1
  
  Your points are well taken.
  The RDP attacks, however, were simple (back then) and scripted.
  It's sorta like having burglar bars.
  Crooks will pass those up and look for easier targets.
  
  --
  It little behooves the best of us to comment on the rest of us.
8. Re:I used RDP ... by CaptainDork · 2017-11-19 11:49 · Score: 1
  
  Why would it be clever if it pointed somewhere else?
  That does not get me in.
  And, foreign (and even domestic) intruders don't bother looking for misdirected ports.
  There are enough easy targets on 3389.
  
  --
  It little behooves the best of us to comment on the rest of us.
9. Re:I used RDP ... by urbanriot · 2017-11-19 12:46 · Score: 1
  
  foreign (and even domestic) intruders don't bother looking for misdirected ports.
  This is horribly incorrect and I hope you're not responsible for putting production servers behind a 'misdirected port' as there are plenty of port scanners that will identify RDP, SSH, etc., on non-standard ports and will attempt to bruteforce them with common name dictionary attacks for the username and whatever it is they're doing with passwords.
  
  I have an RDP honeypot setup on one of my home IPs so I can observe the behaviours of trojans, hackers, etc., and with my RDP hosted on a port higher than 10,000, I have a scrolling log of people attempting to get in. Within the past hour I have an IP from Russia in the 80.255.80.0/21 subnet, another IP in a smaller Islamabad educational subnet, and someone in a /24 Sweden network. There's plenty more but that's all I felt like looking up with an APNIC, LACNIC, and RIPE.
  
  I don't disagree that changing the port will decrease the frequency by which you'll be polled considering that most of the trojans are specifically focused on port 3389. Furthermore, changing the port does nothing when a person is compromised by malware that pulls the information from HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default, of which there are plenty of infections that propagate via this method.
  
  Opening up RDP on any port for any business server is grossly incompetent unless you have 2FA, and even then I'd rather have it behind a VPN.
10. Re:I used RDP ... by Bert64 · 2017-11-19 20:23 · Score: 1
  
  Switching SSH to require keys and to reject password auth helps a lot...Although some very stupid brute force scripts will keep trying and cause unnecessary load... Some scripts are even aggressive enough to dos the ssh service.
  
  --
  http://spamdecoy.net - free throwaway anonymous email - avoid spam!
11. Re:I used RDP ... by Antique+Geekmeister · 2017-11-20 00:08 · Score: 1
  
  That can be a useful step. There are tradeoffs. I've had difficulty discouraging SSH users from storing passphrase keys locally, and on remote gateway hosts they wish to SSH _from_ in the field without bothering with ssh-agent.
12. Re:I used RDP ... by Bert64 · 2017-11-21 05:59 · Score: 1
  
  I don't use ssh-agent, rather i use the ssh config to specify using another instance of "ssh -w" as a proxy in order to connect to specific hosts, that way the intermediary host is basically just used as a proxy and your local device still authenticates to the far host even if there are one or more intermediary hosts in the way.
  
  --
  http://spamdecoy.net - free throwaway anonymous email - avoid spam!
So... by DontBeAMoran · 2017-11-19 04:44 · Score: 1

Is that RDP thing on by default on Windows 10?

--
#DeleteFacebook
1. Re:So... by Antique+Geekmeister · 2017-11-19 05:03 · Score: 3, Interesting
  
  No, it's not. But it's _very_ common to activate it foe personnel who use their more powerful desktop systems for telecommunication. It's also very standard to enable for Windows hosts in a machine room, unless you've the time and resources to set up a remote KVM or the hardware based remote consoles such as DRAC. Those hosts are often surprisingly vulnerable. The various security improvements of a server environment can be overwhelmed by the unwillingness to update, and reboot, production servers. It's also often overwhelmed by the need to support older software. I _still_ see critical XP systems in unprotected internal networks, used for legacy software or proprietary software for which an upgrade is very expensive.
3 ways to crack by gurps_npc · 2017-11-19 05:02 · Score: 4, Interesting

Correct me if I am wrong, but there are three basic ways to crack a password.
1) Brute force - the answer to this is long passwords and to have each password attempt take twice as long as the last. I.E. The second attempt after a failure waits 5 seconds. The third attempt takes 10 seconds, the fourth takes 20 seconds, etc. For password length you can use an md5 hash of a selected read -only file. If the system is set up right it will take less mouse clicks to do than the 8 keyboard clicks currently used
2) Social Engineering - the answer to this is a two factor token system, preferably a key fob rather than just using the phone which is easily lost, stolen, or compromised. Can easily be combined with the increasing time method above.
3) Password lists (either stolen or public). Outright forbid the 10,000 most common passwords and tell people that if they reuse the same password, they can be fired from their job and can not sue. Don't blame the company when the user is stupid.
Note that it is NOT a requirement to change the passwords often, as long as you obey the three requirements above, changing the password can be done once a year without affecting safety.

--
excitingthingstodo.blogspot.com
1. Re:3 ways to crack by duke_cheetah2003 · 2017-11-19 07:32 · Score: 1
  
  Correct me if I am wrong, but there are three basic ways to crack a password.
  You missed the most often used method: Find a broken service to exploit for code execution on the target. No passwords needed, system hacked.
2. Re:3 ways to crack by vux984 · 2017-11-19 08:29 · Score: 1
  
  "2) Social Engineering - the answer to this is a two factor token system, preferably a key fob rather than just using the phone which is easily lost, stolen, or compromised. Can easily be combined with the increasing time method above."
  According to my password safe I have over 100 passwords. Are you really advocating I cart around a wheelbarrow full of key fobs as the solution?
  Never going to happen. NEVER.
  And the worst part is that a fob doesn't even stop social engineering attacks.
  "Hi Alice I'm Bob from IT, we're just just troubleshooting your login. Ok, I need your password, and ok, the 2 factor password as well. Perfect, that appears to working. Have a great day."
  or a phishing attack... that likewise grabs both.
  The only thing the use of the fob does is that I have to login in real-time to get into your account. And then once in I use some exploit to escalate, i set up my backdoor, or do my evil thing, or whatever. But I have to do it in real-time, since I won't be able to get in later with the original credentials. However, if I know you are using a fob, I design the attack for that.
  So fobs do add some security but they don't "solve" the problem.
  biometrics can in theory solve the problem (becoming your 'username'); alongside a password, but the devil is in the implementation, and biometrics suffer from other problems too.
3. Re:3 ways to crack by Bert64 · 2017-11-19 20:34 · Score: 1
  
  Over a network biometrics have to be converted to digital data, basically a key or a hash which can be attacked in the normal ways.
  Also once compromised, biometrics remain compromised forever...
  
  --
  http://spamdecoy.net - free throwaway anonymous email - avoid spam!
4. Re:3 ways to crack by houghi · 2017-11-20 01:49 · Score: 2
  
  Number 3. Where I live you sure can tell people they can't sue, but that does not mean they can't sue. They could even sue you for telling them they can't sue.
  Some places have rights that can not be taken away by a contract.
  IT needs to realize that people are part of the security issue. Blaming them does not make anything safer.
  I have so many logins and passwords that it would be unreasonable to have them all different. So I have 6
  1. Most secure for my email as confirmations are send there
  2. Most secure for my home logins as my email gets there
  3. Very secure for my banks and credit companies
  4. Normal secure for companies I buy stuff
  5. Low security for all the rest
  6. security that depends on the company I work at
  Next to that I have my own domain with unlimited aliasses, so for 1 to 4, I use emails in the form of slashdot.org@example.com or bigbank.co.uk@example.net
  That way I know:
  1) If they sell my address or worse, got hacked
  2) If they are the ones that send me mail.
  Easy to filter and I won't fall for a sometimes very good fake email.
  "Use a password manager" might be great for many, but not for me who often works on machines that are secure enough, but not my own.
  
  --
  Don't fight for your country, if your country does not fight for you.
5. Re:3 ways to crack by vux984 · 2017-11-20 04:13 · Score: 1
  
  Over a network biometrics have to be converted to digital data, basically a key or a hash which can be attacked in the normal ways.
  Yes. That's why I wrote there were implementation and other problems.
  
  Also once compromised, biometrics remain compromised forever...
  That's only a problem if you use it as a 'secret password'. Its more like your username. And its value is not that it is a secret but that it is (ideally) difficult to forge.
Re:Article is a little late by TheRealMindChild · 2017-11-19 05:49 · Score: 2

They shouldn't have been exposed to the internet in the first place. Have anyone who wants to connect to a machine on the lan/wan connect to the network via VPN first

--

"When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
Realsies by JBMcB · 2017-11-19 06:20 · Score: 2

You're assuming it's not a honeypot?

--
My Other Computer Is A Data General Nova III.
V......P.....N by Halster · 2017-11-19 08:32 · Score: 3, Interesting

Oh for crying out loud people. Don't open RDP ports direct to the internet!
If the average Joe can use a VPN to pirate movies I should think YOU could use it to secure your damn network!
L8r.

--

"How much truth can advertising buy?" - iNsuRge - AK47
1. Re:V......P.....N by F.Ultra · 2017-11-19 09:33 · Score: 1
  
  How else are they going to do get help to close those problems that the nice "Hello I'm calling from Windows" people with Indian accents detected?
2. Re:V......P.....N by nnull · 2017-11-19 09:52 · Score: 2
  
  I was wondering when someone was going to mention a VPN. What is so difficult in setting one up? People opening up their firewalls out in the open is asking for trouble. Granted, you get people trying to brute force your VPN just the same, but at least I can contain it (Auto Ban) and I know what it is.
3. Re:V......P.....N by Altrag · 2017-11-19 14:03 · Score: 2
  
  Setting up a VPN host is a lot more challenging than setting up a VPN client, unfortunately. I mean it probably doesn't have to be, but currently it is.
  Part of the problem is Microsoft. There's a lot of VPN routers out there that have fairly easy VPN setups.. for IPSec-style VPNs only. And Windows doesn't easily support those out of the box. So you can setup PPTP (or L2TP or similar) client in Windows pretty easily, and you can setup IPSec in routers pretty easily. Neither really play well with the other though making for a pretty large disconnect in usability.
  Of course there's always third party software to do all of that, but the ones I've run into have all been horrible in their own way as well. The only people who seem to want to make a user-friendly VPN system are the VPN service providers, but their clients are typically hardcoded specifically for their own services (and there's almost never a matching host-side package available anyway.)
VPN suggestions seem... no better? by nyquil+superstar · 2017-11-19 09:31 · Score: 1

I see a bunch of comments suggesting that it's dumb to expose RDP to the internet, and if you had just used a VPN... But this isn't an RDP (which is encrypted) exploit... this is brute forcing the password. If you can brute force the RDP account, then why couldn't you brute force the VPN credentials?
1. Re:VPN suggestions seem... no better? by nnull · 2017-11-19 09:57 · Score: 1
  
  Nothing really stopping you from brute forcing a VPN and it does happen. However, you have less exploitable methods of getting into the system than opening random ports on your firewall for SSH or RDP. Then of course, anyone that allows their VPN to be brute forced is pretty stupid.
2. Re: VPN suggestions seem... no better? by Brockmire · 2017-11-19 10:08 · Score: 1
  
  Brute force a certificate? This is a job for IPBan.
3. Re: VPN suggestions seem... no better? by nyquil+superstar · 2017-11-19 10:54 · Score: 1
  
  Yeah, certificates seem like the best approach. If only they didn't suck so much to manage.
4. Re:VPN suggestions seem... no better? by Bert64 · 2017-11-19 20:36 · Score: 1
  
  You'd setup up a VPN to use certs instead of passwords, which are much more difficult to brute force...
  Even if you successfully got access to the VPN, you'd then only have access to the RDP port which means you now have a second target to attack, so it adds an extra line of defence. And hopefully a competent sysadmin would notice VPN logins from unexpected locations.
  
  --
  http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Re: "Jack-of-all-trades" by geekmux · 2017-11-19 11:41 · Score: 1

The point is that small organizations don't usually allow for specialization of duties, and that means less brains working on different aspects of IT.
The additional expense of maintaining staff or services that mitigate the risk of your business getting ass-raped by malware is either worth it to a business owner, or it's not. Small organizations that choose the latter usually become victims. Fuck 'em if they can't learn from best practice.

No one can do it all, it's similar to medicine - no doctor does all parts. It takes about 250 specialists to comprise all aspects of medicine, and that number is increasing daily.
See? There are areas of business that value risk mitigation. 250 specialists exist because when someone in medicine tries to "do it all", it usually ends with a wrongful death lawsuit. Medicine was forced to learn the value of specialists, much like ignorant small business owners are doing today.
TFA is garbage by Archon · 2017-11-19 12:35 · Score: 1

The only way an RDP session is being successfully initiated from outside your WLAN is if there's port forwarding setup on your router or you have a static IP direct to your computer. In nearly every other case, you're behind a NAT, which would allow you to initiate a RDP connection but not receive. On the router or firewall, remove any forwards and/or disable any sort of DMZ, and you're OK.
"Sophos security experts" aren't cited as saying anything about this, because of course, the recommended method of mediation is purchase and installation of their Sophos XG Firewall product. If whoever is responsible for your company doesn't already know this and can explain it to you, hire someone who does.
Re:Article is a little late by Bert64 · 2017-11-19 20:07 · Score: 1

Shows the flaws of account lockouts if they permit someone to launch such a trivial denial of service against your organisation.

--
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Re:Crappy Account Lockout Policies != RDP Exploit by Bert64 · 2017-11-19 20:39 · Score: 1

And if you have *ACCOUNT* lockout policies then you get a dos attack instead...
And brute force attacks can still succeed because you just try lots of usernames with a small number of the most common passwords.
Account lockouts are stupid, you want to block the source of the attack (as well as using stronger authentication than passwords on any externally facing system).

--
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Re:Article is a little late by s0nspark · 2017-11-20 00:17 · Score: 1

They shouldn't have been exposed to the internet in the first place. Have anyone who wants to connect to a machine on the lan/wan connect to the network via VPN first
You are assuming there IS a VPN, though and in many smaller organizations that is not the case.
RdpGuard by DigiShaman · 2017-11-20 02:12 · Score: 1

RDP Guard - It's expensive for what it does, but it does work. Essentially, it's just an anti-hammering app that tar-pits or blocks a public IP as a source from too many invalid logins. Those IPs are blocked at the Windows Firewall. Honestly, this functionality should have, and in fact, could be implemented in the Windows Server OS if MS so choose. It's trivial.
https://rdpguard.com/

--
Life is not for the lazy.
1. Re:RdpGuard by nyquil+superstar · 2017-11-20 04:17 · Score: 1
  
  Nice find, thanks for sharing this.