Anti-Virus Companies have uncovered new hacking tools that can hack a targeted Remote Desktop connection to a Windows Server in just minutes. It was recently demonstrated at the Cyber Security Roundtable in Las Vegas, NV. This is being used by the perpetrators to gain access and infect servers with crypto infections and a plethra of new hacking tools. It is recommended by Cyber Security Expert Mike Monahan that all MSP’s immediately discontinue the use of RDP for all their clinets not employing a VPN, RSA Keys or other encrypted technology immediately.
We normally think of ransomware as something that’s catapulted into victims’ computers using some form of mass email distribution.
Many companies, notably small businesses, outsource their IT to, or pay for lots of help from, outside contractors.
These contractors might live in another part of town, or elsewhere in the country, or even on the other side of the world.
To let remote sysadmins look after your Windows networks, the most widely-used tool is Microsoft’s own Remote Desktop Protocol, or RDP for short.
RDP, for those who haven’t used it, effectively turns your IT guy’s laptop into a remote screen, keyboard and mouse connected over the internet to your local computer.
When they move their mouse in the RDP client software far away, they’re controlling your computer; when a software dialog pops up, they see it on their remote computer.
RDP is like being right there, and allows remote use even of fully-graphical applications that can’t be scripted or operated via a command prompt.
In other words, the RDP password you’ve chosen for your remote sysadmin (or that you’ve let them choose for themselves) is essentially the key to your office – a weak password is like a server room door that’s propped open, inviting any passing snooper to take a look inside.
So, if the crooks notice that you’ve got RDP open to the internet, for example by using a network search engine such as Shodan, you can be sure they’ll take a poke around.
Sophos security experts who’ve investigated a spate of recent RDP attacks have frequently found evidence that a tool called
NLBrute was used to try a whole range of RDP passwords – a so-called brute force attack – in the hope of sneaking in.
Once they’ve got your RDP password – whether they use
NLBrute, or simply look you up on Facebook to find your birthday and your pet’s name – they’ll logon and immediately create various brand new administrative accounts.
That way, even if you get rid of the crooks and change your own admin password, they’ve already got backup accounts they can use to sneak back in later.
Once they’re in, here’s what you can expect to happen next, based on what we’ve seen in a number of attacks we’ve investigated:
Tools of this sort are regularly used by legitimate sysadmins for troubleshooting and emergency recovery, especially if they use kernel drivers to let you to pull off modifications that the operating system usually prevents. This includes: killing off processes that usually disallow shutdown, deleting locked files, and changing configuration settings that are usually locked down.
The crooks go after the passwords of administrator accounts so that they’ll enjoy all the power of a legitimate sysadmin. If they can’t get an admin password, they may try logging in as a regular user and running hacking tools that try to exploit unpatched vulnerabilities to get what’s called EoP, or elevation of privilege.
EoP means that already logged-on users can sneakily promote themselves to more powerful accounts to boost their powers. We’ve seen EoP tools left behind on attacked systems that tried to abuse vulnerabilities dubbed CVE-2017-0213 and CVE-2016-0099, patched by Microsoft back in May 2017 and March 2016 respectively.
Files such as SQL databases are usually locked while the database server software is active, as a precaution against corruption that could be caused by concurrent access by another program. The side-effect of this is that malware can’t get direct access to database files either, and therefore can’t scramble them to hold them to ransom.
Shadow copies act as real-time, online backups that can make recovery from ransomware a quick and easy process. That’s why crooks often go looking for shadow copies first to remove them.
You can guess what happens next.
Because they’ve used their sysadmin powers to rig the system to be as insecure as they can, they can often use older versions of ransomware, perhaps even variants that other crooks have given up on and that are now floating around the internet “for free”.
The crooks don’t have to worry about using the latest and greatest malware, or setting up a command-and-control server, or running a hit-and-hope spam campaign.
In one attack, we saw a folder on the desktop containing four different types of ransomware. The crooks ran each in turn, until one of them worked.
Many ransomware attacks are distributed indiscriminately, and therefore rely on a “pay page” – a Dark Web server set up specially to tell victims how much to pay, and how to pay it.
But these RDP crooks are already personally involved to the extent of logging into your network themselves, so there’s often what you might call a “personal touch”.
Rather than automatically squeezing you via a website, you’ll probably see a pop-up something like this, telling you to make contact via email to “negotiate” the release of your data:
At the time of writing the Bitcoin address used by that attacker contained BTC 9.62, currently worth just over $60,000.
Only one of the transactions matched the 1BTC amount demanded in the ransom, which might indicate that the account is being used for other activities at the same time, or that some victims managed to negotiate a lower price.
The victims of this kind of attack are almost always small-to-medium companies: the largest business in our investigation had 120 staff, but most had 30 or fewer.
With small scale comes a dependence on external IT suppliers or “jack-of-all-trades” IT generalists trying to manage cybersecurity along with many other responsibilities.
In one case a victim was attacked repeatedly, because of a weak password used by a third-party application that demanded 24-hour administrator access for its support staff.
If you’re using a third-party IT company and they haven’t already suggested the precautions we’ve listed above, why not ask them why, and ask yourself if they’re the right people to be looking after your network?
Be careful out there – don’t let the Remote Desktop Protocol for your IT team turn into a Ransomware Deployment Process for criminals.
The SonicWall Capture Labs Threat Research Team have recently come across a fake ransomware trojan that pretends to hold a victim’s files hostage. Although its ransom message is intimidating and a Monero address is provided for $200 payment there is no encryption functionality present in the malware.
The attacker has made no effort to hide the functionality of the malware. It was written in Delphi and is so straigtforward that even a simple listing of strings in the binary instantly reveal its purpose:
Running the executable through a debugger reveals its runtime functionality. The first step is to verify whether physical access to the system drive is possible using the CreateFileA and ReadFile API calls:
If the above test passes, it proceeds to open a handle to the physical drive again and overwrite the MBR using the WriteFile API call:
Arguments on the stack point to the ransom text to be displayed after reboot:
After succesfully overwriting the MBR with the ransom text, the trojan executes “shutdown -r -f -t 0” using WinExec to immediately reboot the system:
Upon reboot, the following ransom text is displayed and the machine is unable to boot as normal:
The only modification to the filesystem is the overwritten MBR. No files have actually been encrypted and there is no encryption functionality present in the malware. Although files can easily be restored by mounting the filesystem using a live OS booted via a memory stick, most users will likely consider their files gone and perform a full reinstall. There is no contact information provided to “restore” files and no way of verifying if paying the $200 in Monero will suffice.
SonicWALL Gateway AntiVirus provides protection against this threat via the following signature: