Slashdot Mirror

← Back to Stories (view on slashdot.org)

'Lazy' Hackers Exploit Microsoft RDP To Install Ransomware (sophos.com)

Posted by EditorDavid on from the tele-presents dept.

An anonymous reader writes: An investigation by Sophos has uncovered a new, lazy but effective ransomware attack where hackers brute force passwords on computers with [Microsoft's] Remote Desktop Protocol enabled, use off-the-shelf privilege escalation exploits to make themselves admins, turn off security software and then manually run fusty old versions of ransomware.
They even delete the recovery files created by Windows Live backup -- and make sure they can also scramble the database. "Because they've used their sysadmin powers to rig the system to be as insecure as they can, they can often use older versions of ransomware, perhaps even variants that other crooks have given up on and that are now floating around the internet 'for free'."

Most of the attacks hit small-to-medium companies with 30 or fewer employees, since "with small scale comes a dependence on external IT suppliers or 'jack-of-all-trades' IT generalists trying to manage cybersecurity along with many other responsibilities. In one case a victim was attacked repeatedly, because of a weak password used by a third-party application that demanded 24-hour administrator access for its support staff."

12 of 72 comments (clear)

  1. Re:I used RDP ... by fph+il+quozientatore · · Score: 4, Funny

    Thanks, I have noted down that number now.

    --your friendly network neighbourhood hacker.

    --
    My first program:

    Hell Segmentation fault

  2. Re:I used RDP ... by Antique+Geekmeister · · Score: 2

    Switching the SSH port is helpful as well, if you expose port 22 at all to the outside world. So is blocking and forcing users to use specified, non-standard VNC ports: too many personnel at home use that to work their way around workplace password management. I've personally encountered too many IT personnel who slip past their own workplace access policies by slipping a VNC installation onto their most critical servers, so they can access it as needed or share on-site screens with offsite access.

    When in a rush, and with permission of the relevant manager, I've personally installed VNC surreptitiously on a worksite host to see exactly who was doing what to the server while I was offsite. It allowed me to see that someone was surreptitiously modifying the system during the maintenance window, and get someone onsite to go look and see who was logged in to the console. The resulting discussion with their employer was unpleasant, but necessary.

  3. 3 ways to crack by gurps_npc · · Score: 4, Interesting

    Correct me if I am wrong, but there are three basic ways to crack a password.

    1) Brute force - the answer to this is long passwords and to have each password attempt take twice as long as the last. I.E. The second attempt after a failure waits 5 seconds. The third attempt takes 10 seconds, the fourth takes 20 seconds, etc. For password length you can use an md5 hash of a selected read -only file. If the system is set up right it will take less mouse clicks to do than the 8 keyboard clicks currently used

    2) Social Engineering - the answer to this is a two factor token system, preferably a key fob rather than just using the phone which is easily lost, stolen, or compromised. Can easily be combined with the increasing time method above.

    3) Password lists (either stolen or public). Outright forbid the 10,000 most common passwords and tell people that if they reuse the same password, they can be fired from their job and can not sue. Don't blame the company when the user is stupid.

    Note that it is NOT a requirement to change the passwords often, as long as you obey the three requirements above, changing the password can be done once a year without affecting safety.

    --
    excitingthingstodo.blogspot.com
    1. Re:3 ways to crack by houghi · · Score: 2

      Number 3. Where I live you sure can tell people they can't sue, but that does not mean they can't sue. They could even sue you for telling them they can't sue.
      Some places have rights that can not be taken away by a contract.
      IT needs to realize that people are part of the security issue. Blaming them does not make anything safer.

      I have so many logins and passwords that it would be unreasonable to have them all different. So I have 6
      1. Most secure for my email as confirmations are send there
      2. Most secure for my home logins as my email gets there
      3. Very secure for my banks and credit companies
      4. Normal secure for companies I buy stuff
      5. Low security for all the rest
      6. security that depends on the company I work at

      Next to that I have my own domain with unlimited aliasses, so for 1 to 4, I use emails in the form of slashdot.org@example.com or bigbank.co.uk@example.net
      That way I know:
      1) If they sell my address or worse, got hacked
      2) If they are the ones that send me mail.
      Easy to filter and I won't fall for a sometimes very good fake email.

      "Use a password manager" might be great for many, but not for me who often works on machines that are secure enough, but not my own.

      --
      Don't fight for your country, if your country does not fight for you.
  4. Re:So... by Antique+Geekmeister · · Score: 3, Interesting

    No, it's not. But it's _very_ common to activate it foe personnel who use their more powerful desktop systems for telecommunication. It's also very standard to enable for Windows hosts in a machine room, unless you've the time and resources to set up a remote KVM or the hardware based remote consoles such as DRAC. Those hosts are often surprisingly vulnerable. The various security improvements of a server environment can be overwhelmed by the unwillingness to update, and reboot, production servers. It's also often overwhelmed by the need to support older software. I _still_ see critical XP systems in unprotected internal networks, used for legacy software or proprietary software for which an upgrade is very expensive.

  5. Re:I used RDP ... by freeze128 · · Score: 2

    Don't make me quote Admiral Ackbar to you...

  6. Re:Article is a little late by TheRealMindChild · · Score: 2

    They shouldn't have been exposed to the internet in the first place. Have anyone who wants to connect to a machine on the lan/wan connect to the network via VPN first

    --

    "When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
  7. Realsies by JBMcB · · Score: 2

    You're assuming it's not a honeypot?

    --
    My Other Computer Is A Data General Nova III.
  8. V......P.....N by Halster · · Score: 3, Interesting

    Oh for crying out loud people. Don't open RDP ports direct to the internet!

    If the average Joe can use a VPN to pirate movies I should think YOU could use it to secure your damn network!

    L8r.

    --

    "How much truth can advertising buy?" - iNsuRge - AK47
    1. Re:V......P.....N by nnull · · Score: 2

      I was wondering when someone was going to mention a VPN. What is so difficult in setting one up? People opening up their firewalls out in the open is asking for trouble. Granted, you get people trying to brute force your VPN just the same, but at least I can contain it (Auto Ban) and I know what it is.

    2. Re:V......P.....N by Altrag · · Score: 2

      Setting up a VPN host is a lot more challenging than setting up a VPN client, unfortunately. I mean it probably doesn't have to be, but currently it is.

      Part of the problem is Microsoft. There's a lot of VPN routers out there that have fairly easy VPN setups.. for IPSec-style VPNs only. And Windows doesn't easily support those out of the box. So you can setup PPTP (or L2TP or similar) client in Windows pretty easily, and you can setup IPSec in routers pretty easily. Neither really play well with the other though making for a pretty large disconnect in usability.

      Of course there's always third party software to do all of that, but the ones I've run into have all been horrible in their own way as well. The only people who seem to want to make a user-friendly VPN system are the VPN service providers, but their clients are typically hardcoded specifically for their own services (and there's almost never a matching host-side package available anyway.)

  9. Re:In the ass by Bert64 · · Score: 2

    There needs to be accountability for third party vendors who insist on insecure configurations like this...
    The trouble is most of their customers don't have the knowledge in house to realise how insecure it is. I've encountered a few vendors who made ridiculous demands like this and their response has always been "but our other customers dont have a problem".

    They want 24/7 RDP or VNC access direct from the internet, won't use a vpn (which to be fair, having 100 clients each using a different vpn technology becomes very painful), use weak passwords and won't even supply a fixed source address that the connection would come from. And then the system they want access to won't be isolated from anything else, so it provides a trivial route into the network.

    --
    http://spamdecoy.net - free throwaway anonymous email - avoid spam!