Cyber Alerts

CYBER SECURITY ALERT: REMOVE OUTSIDE IP ACCESS FROM ALL RDP CONNECTIONS REGARDLESS OF PORT NUMBER!

This image has an empty alt attribute

Anti-Virus Companies have uncovered new hacking tools that can hack a targeted Remote Desktop connection to a Windows Server in just minutes. It was recently demonstrated at the Cyber Security Roundtable in Las Vegas, NV. This is being used by the perpetrators to gain access and infect servers with crypto infections and a plethra of new hacking tools.  It is recommended by Cyber Security Expert Mike Monahan that all MSP’s immediately discontinue the use of RDP for all their clinets not employing a VPN, RSA Keys or other encrypted technology immediately.

We normally think of ransomware as something that’s catapulted into victims’ computers using some form of mass email distribution.

The attack (Information from Sophos)

Many companies, notably small businesses, outsource their IT to, or pay for lots of help from, outside contractors.

These contractors might live in another part of town, or elsewhere in the country, or even on the other side of the world.

To let remote sysadmins look after your Windows networks, the most widely-used tool is Microsoft’s own Remote Desktop Protocol, or RDP for short.

RDP, for those who haven’t used it, effectively turns your IT guy’s laptop into a remote screen, keyboard and mouse connected over the internet to your local computer.

When they move their mouse in the RDP client software far away, they’re controlling your computer; when a software dialog pops up, they see it on their remote computer.

RDP is like being right there, and allows remote use even of fully-graphical applications that can’t be scripted or operated via a command prompt.

In other words, the RDP password you’ve chosen for your remote sysadmin (or that you’ve let them choose for themselves) is essentially the key to your office – a weak password is like a server room door that’s propped open, inviting any passing snooper to take a look inside.

So, if the crooks notice that you’ve got RDP open to the internet, for example by using a network search engine such as Shodan, you can be sure they’ll take a poke around.

Sophos security experts who’ve investigated a spate of recent RDP attacks have frequently found evidence that a tool called NLBrute was used to try a whole range of RDP passwords – a so-called brute force attack – in the hope of sneaking in.

Once they’ve got your RDP password – whether they use NLBrute, or simply look you up on Facebook to find your birthday and your pet’s name – they’ll logon and immediately create various brand new administrative accounts.

That way, even if you get rid of the crooks and change your own admin password, they’ve already got backup accounts they can use to sneak back in later.

What next?

Once they’re in, here’s what you can expect to happen next, based on what we’ve seen in a number of attacks we’ve investigated:

Tools of this sort are regularly used by legitimate sysadmins for troubleshooting and emergency recovery, especially if they use kernel drivers to let you to pull off modifications that the operating system usually prevents. This includes: killing off processes that usually disallow shutdown, deleting locked files, and changing configuration settings that are usually locked down.

The crooks go after the passwords of administrator accounts so that they’ll enjoy all the power of a legitimate sysadmin. If they can’t get an admin password, they may try logging in as a regular user and running hacking tools that try to exploit unpatched vulnerabilities to get what’s called EoP, or elevation of privilege.

EoP means that already logged-on users can sneakily promote themselves to more powerful accounts to boost their powers. We’ve seen EoP tools left behind on attacked systems that tried to abuse vulnerabilities dubbed CVE-2017-0213 and CVE-2016-0099, patched by Microsoft back in May 2017 and March 2016 respectively.

Files such as SQL databases are usually locked while the database server software is active, as a precaution against corruption that could be caused by concurrent access by another program. The side-effect of this is that malware can’t get direct access to database files either, and therefore can’t scramble them to hold them to ransom.

Shadow copies act as real-time, online backups that can make recovery from ransomware a quick and easy process. That’s why crooks often go looking for shadow copies first to remove them.

You can guess what happens next.

Because they’ve used their sysadmin powers to rig the system to be as insecure as they can, they can often use older versions of ransomware, perhaps even variants that other crooks have given up on and that are now floating around the internet “for free”.

The crooks don’t have to worry about using the latest and greatest malware, or setting up a command-and-control server, or running a hit-and-hope spam campaign.

In one attack, we saw a folder on the desktop containing four different types of ransomware. The crooks ran each in turn, until one of them worked.

How much is the ransom?

Many ransomware attacks are distributed indiscriminately, and therefore rely on a “pay page” – a Dark Web server set up specially to tell victims how much to pay, and how to pay it.

But these RDP crooks are already personally involved to the extent of logging into your network themselves, so there’s often what you might call a “personal touch”.

Rather than automatically squeezing you via a website, you’ll probably see a pop-up something like this, telling you to make contact via email to “negotiate” the release of your data:

At the time of writing the Bitcoin address used by that attacker contained BTC 9.62, currently worth just over $60,000.

Only one of the transactions matched the 1BTC amount demanded in the ransom, which might indicate that the account is being used for other activities at the same time, or that some victims managed to negotiate a lower price.

The victims

The victims of this kind of attack are almost always small-to-medium companies: the largest business in our investigation had 120 staff, but most had 30 or fewer.

With small scale comes a dependence on external IT suppliers or “jack-of-all-trades” IT generalists trying to manage cybersecurity along with many other responsibilities.

In one case a victim was attacked repeatedly, because of a weak password used by a third-party application that demanded 24-hour administrator access for its support staff.

What to do?

If you’re using a third-party IT company and they haven’t already suggested the precautions we’ve listed above, why not ask them why, and ask yourself if they’re the right people to be looking after your network?

Be careful out there – don’t let the Remote Desktop Protocol for your IT team turn into a Ransomware Deployment Process for criminals.

________________________________________________________

SPONSORED BY: SonicWall

Fake Ransomware just overwrites MBR but demands payment

Updated: Today

The SonicWall Capture Labs Threat Research Team have recently come across a fake ransomware trojan that pretends to hold a victim’s files hostage.  Although its ransom message is intimidating and a Monero address is provided for $200 payment there is no encryption functionality present in the malware.

Infection Cycle:

The attacker has made no effort to hide the functionality of the malware.  It was written in Delphi and is so straigtforward that even a simple listing of strings in the binary instantly reveal its purpose:

Running the executable through a debugger reveals its runtime functionality.  The first step is to verify whether physical access to the system drive is possible using the CreateFileA and ReadFile API calls:

 

If the above test passes, it proceeds to open a handle to the physical drive again and overwrite the MBR using the WriteFile API call:

 

Arguments on the stack point to the ransom text to be displayed after reboot:

 

After succesfully overwriting the MBR with the ransom text, the trojan executes “shutdown -r -f -t 0” using WinExec to immediately reboot the system:

Upon reboot, the following ransom text is displayed and the machine is unable to boot as normal:

The only modification to the filesystem is the overwritten MBR.  No files have actually been encrypted and there is no encryption functionality present in the malware.  Although files can easily be restored by mounting the filesystem using a live OS booted via a memory stick, most users will likely consider their files gone and perform a full reinstall.  There is no contact information provided to “restore” files and no way of verifying if paying the $200 in Monero will suffice.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

 
The SonicWall Threats Research team released the following reports this week to highlight the protection capabilities of your subscribed firewalls to newly discovered threats.
 
 
 
Fake Ransomware just overwrites MBR but demands payment
Nov 21, 2018
 
The SonicWall Capture Labs Threat Research Team have recently come across a fake ransomware trojan that pretends to hold a victim’s files hostage.  Although its ransom message is intimidating and a Monero address is provided for $200 payment there is no encryption functionality present in the malware. Infection Cycle: The attacker has made no effort […]
 
Learn more  
 
 
 
 
 
Malicious Cyber activity roundup: The Thanksgiving week 2018 edition
Nov 21, 2018
 
As retailers are gearing up with their Black Friday doorbuster deals, cybercriminals are also upping the ante to lure shoppers into clicking that malicious link or downloading that latest shopping app in exchange for deals and best prices on their most coveted items.
 
Learn more  
 
 
 
 
 
Emotet is back for the holidays
Nov 22, 2018
 
Two weeks ago, SonicWall Threat Research Lab had researched and blogged about a large malspam campaign delivering Emotet. Emotet has come back again for holiday season with different tactics and better obfuscation techniques. These spam emails in Thanksgiving theme are sent in very large numbers with malicious XML attachment. Infection Chain: Email: On November 20th, […]
 
Learn more