Ransomware deployments after brute force RDP attack

Fox-IT has encountered various ways in which ransomware is being spread and activated. Many infections happen by sending spam e-mails and luring the receiver in opening the infected attachment. Another method is impersonating a well-known company in a spam e-mail stating an invoice or track&trace information is ready for download. By following the link provided in the e-mail, the receiver can download the file which contains the malware from a convincing looking website. Distributing ransomware through malvertising, an exploit kit being served on an advertisement network, is also a common way for criminals to infect systems.

In the past few months, Fox-IT’s incident response team, FoxCERT, was involved in several investigations where a different technique surfaced: activating ransomware from a compromised remote desktop server.

Getting access

Before we get to why this might be lucrative for the criminals, how do they get access in the first place? RDP, or Remote Desktop Protocol, is a propriety protocol developed by Microsoft to provide remote access to a system over the network. This can be the local network, but also the Internet. When a user successfully connects to a system running remote desktop services (formerly known as terminal services) over RDP, the user is presented with a graphical interface similar to that when working on the system itself. This is widely used by system administrators for managing various systems in the organization, by users working with thin clients, or for working remotely. Attackers mostly tend to abuse remote desktop services for lateral movement after getting foothold in the network. In this case however, RDP is their point of entry into the network.

Entries in the log files show the attackers got access to the servers by brute forcing usernames and passwords on remote desktop servers that are accessible from the internet. Day in, day out, failed login attempts are recorded coming from hundreds of unique IP-addresses trying hundreds of unique usernames. Connecting remote desktop servers directly to the internet is not recommended and brute forcing remote desktop services is nothing new. But without the proper controls in place to prevent or at least detect and respond to successful compromises, brute force RDP attacks are still relevant. And now with a ransomware twist as well.

visio_blog
Image 1: Example network with compromised RDP server and attacker deploying ransomware.

The impact

After brute forcing credentials to gain access to a remote desktop server, the attackers can do whatever the user account has permissions to on the server and network. So how could an attacker capitalize on this? Underground markets exist where RDP credentials can be sold for an easy cash-out for the attacker. A more creative attacker could attempt all kinds of privileged escalation techniques to ultimately become domain administrator (if not already), but most of the times this is not even necessary as the compromised user account might have access to all kinds of network shares with sensitive data. For example Personally identifiable information (PII) or Intellectual property (IP) which in its turn can be exfiltrated and sold on underground markets. The compromised user account and system could be added to a botnet, used as proxy server, or used for sending out spam e-mail messages. Plenty of possibilities, including taking the company data hostage by executing ransomware.

Depending on the segmentation and segregation of the network, the impact of ransomware being executed from a workstation in a client LAN might be limited to the network segments and file shares the workstation and affected user account can reach. From a server though, an attacker might be able to find and reach other servers and encrypt more critical company data to increase the impact.

The power lies in the amount of time the attackers can spend on reconnaissance if no proper detection controls are in place. For example, the attackers have time to analyze how and when back-ups are created of critical company data before executing the ransomware. This helps to make sure the back-ups are useless in restoring the encrypted data which in its turn increases the chances of a company actually paying the ransom. In the cases Fox-IT was involved in investigating the breaches, the attackers spend weeks actively exploring the network by scanning and lateral movement. As soon as the ransomware was activated, no fixed ransom was demanded but negotiation by e-mail was required. As the attackers have a lot of knowledge of the compromised network and company, their position in the negotiation is stronger than when infection took place through a drive-by download or infected e-mail attachment. The demanded ransom reflects this and could be significantly higher.

indialocker
Image 2: Example ransomware wallpaper.

Prevention, detection, response

Connecting Remote Desktop Services to the Internet is a risk. Services like that, which are not essential, should be disabled. If remote access is necessary, user accounts with remote access should have hard to guess passwords and preferably a second factor for authentication (2FA) or second step in verification (2SV). To prevent eaves dropping on the remote connection, a strong encryption channel is recommended. Brute force attacks on remote desktop servers and ransomware infections can be prevented. Fox-IT can help to improve your company’s security posture and prevent attacks, for example by an architecture review, security audit or training.

If prevention fails, swift detection will reduce the impact. With verbose logging securely stored and analyzed, accompanied by 24/7 network and end point monitoring an ongoing breach or malware infection will be detected and remediated. The Cyber Threat Management platform can assist in detecting and preventing attacks. And if business continuity and reputation are at stake, our emergency response team is available 24/7.

Wouter Jansen, Senior Forensic IT Expert at Fox-IT

 

 

 

 

Financial Crisis Exercise at RSA 2016

This year, at the RSA Conference, held in San Francisco from February 29 – March 4, Fox-IT was asked to host a financial cyber crisis table top exercise for the Learning Labs portion of the conference.

This was a great opportunity for us to showcase some of what Fox-IT does for companies:  training and aiding companies in incident response. Our exercise provided an opportunity to address a cyber threat scenario in an interactive and collaborative tabletop exercise.

Goliath National Bank

RSA_2The exercise took two hours to complete, tracking down discrepancies in the balance sheets of one Goliath National Bank (GNB), a prominent (fictitious) retail bank in the (fictitious) European country of Ramul. The exercise was designed to:

  • elicit constructive discussion as participants examine and resolve problems
  • identify where existing approaches need to be refined
  • establish relationships and share information with other organizations & partners
  • raise the awareness of the security community about challenges when dealing with a cyber crisis

The exercise was designed as a paper-based exercise with a facilitated discussion of a scripted scenario, where planners and players sit together in one room for the exercise execution.

Overall the session was very popular. There were a lot more people queuing up for the session than there was place for during the session. The attendees that did make it in, were very engaged.

Real life role playing

Each team distributed roles such as CIO, CISO, HR Director, PR Director, General Counsel or IT director. Reflecting the wide variety of attendees at RSA, we were delighted to discover that many of the roles were represented by players who had these roles in real life.

RSA_3Teams played in rounds where new information about an incident was revealed in every turn. The attendees had to pick their next steps and the closer they were with the ideal scenario, the more points they scored.

As crisis teams work through serious events, there is often partial information and there are unclear causes of events and unclear future effects. Therefore, war gaming and cyber crisis table top sessions are required on a regular basis for the crisis management team to gain experience in this field of expertise.

Restoring operations

The most difficult phase of the Learning Lab (as well as in a real life incidents) is the moment a crisis team receives the details about how the incident took place. From that moment in time the team has to switch from focusing on ‘identifying the root cause’ to ‘restoring operations’. They must find a healthy balance wherein the investigation continues, but the ‘restore operations’ priority becomes the most important. We can call this moment between investigation and mitigation an ‘impasse moment’. In order to make the right call, the crisis management team should be able to look at the incident from a helicopter view and come to a clear decision with regards to the next steps, by taking into account the investigation findings, business interests and potential future consequences related to the incident.

Fox-IT’s cyber crises exercises

Fox-IT regularly hosts cyber crisis exercises. Ranging from high-level tabletop sessions where an organizations’ crisis team is involved down to detailed, multi-day, technical challenges for computer emergency response teams and other IT personnel that is involved in a crisis. Whether you want a first introduction into crisis management, or want to train your crisis team periodically, our seasoned experts are able to help.

Would you like to know how we can help you to improve your organization’s resiliency? Please contact Rombert Anjema from FoxAcademy, tel. +31 (0)15 284 79 99, e-mail fox@fox-it.com

Kevin Jonkers, Manager Forensics & Incident Response at Fox-IT, Sarah Brown, Principal Cyber Security Expert at Fox-IT and Krijn de Mik, Principal Cyber Security Expert at Fox-IT

RSA 2016: A Long Road Ahead for Security

We recently attended the RSA Conference, held in San Francisco from February 29 – March 4, to speak with our European clients. Does that surprise you? Far more Europeans visit this conference than you might think. The RSA Conference is the largest trade show for security in the world, yet its main attraction lies not so much in what can be seen on the main floor. Of even more interest are the meetings with security officers from a wide array of organizations that coincide with the trade show. This is where the real action takes place.

Importance of Integrating Solutions

Every year, I’m struck by the enormous gap that exists between the claims made out on the trade show floor and what is found to work in the field. Conversations at the trade show are the only way to find out whether the claims are true, and whether there is even a need for them in practice. As you navigate the trade stands, you encounter a myriad of solutions that are perfectly capable of fending off a specific type of attack — or at least claim to do so. Given that there are all manner of attacks, one should therefore deploy multiple solutions for effective, high-level security. Well, naturally CISOs are not going to go for that. Rather, for them, the challenge lies in integration: using the security solutions you already have in place and processing their results in such a way that you enable your team to efficiently and effectively counter a broad spectrum of attacks.

Costs Rising for Hackers

This focus on integration is evident in, for example, the growing attention paid to the economics of hacking. There are even CISOs who are held accountable for how successful they are at raising the costs for a hacker to mount an attack, and who therefore go so far as set a specified amount as a personal target. This means that CISOs need resources that allow them to block the paths that are the simplest — and therefore the cheapest — for hackers.

Intelligence Hype

The concept of threat intelligence has been on the rise for a long time. If you know who is targeting you and how they operate, you can find them more readily in your network or systems. Meanwhile, the number of suppliers that furnish intel feeds, often consisting of no more than lists of ‘bad’ IP addresses or file hashes, has proliferated. This all leads to market hype. CISOs are drowning in information; one feed after another issues a torrent of information that is too cumbersome for them to work with. What I’m hearing from CISOs is that they would prefer to receive far less technical information, and would instead like more context: Who are the attackers? What are their motives? What are they targeting?

First Aid for Panic

Another increasingly common need is to receive help once a data breach has been discovered. Panic usually breaks out first, especially in the Netherlands now that Meldplicht datalekken, a Dutch law concerning the mandatory notification of data breaches, is in force. To fulfil this notification obligation, everything has to be set in motion immediately: Involved parties (such as users and patients) must be informed, the Dutch Data Protection Authority must receive the necessary information, and numerous technical measures must be taken. Owing to the panic and time pressures, there is a pressing need for expertise and tools that can support an organization. Examples include ensuring that the breached company can demonstrate its conduction of a thorough investigation of the incident and helping it to supply the required information on time. This overarching need is consistent with the idea that it is not possible to set up 100% foolproof security. Even when things go wrong, organizations need to be able to mount a swift and adequate response.

Major Cloud Providers Serious About Data Storage Location

Rules and regulations are also an issue in other areas. Following the issue around Safe Harbor, several major cloud providers now take seriously the fact that Europe has a different stance on privacy than the United States. These cloud providers realize that they need to be able to deliver hard guarantees about where data is stored. This clearly goes against the ‘cloud mindset’ that data location no longer matters. But the awareness is slowly sinking in that there is no way to avoid European regulations.

No Silver Bullet

The RSA trade show floor teems with promises of, if you will, security ‘silver bullets’, whether these involve machine learning, threat intelligence, APT defense, or some other term that’s trendy at the moment. Despite this, I have yet to find at RSA the panacea that would give security professionals a distinct advantage over their attackers. This is perhaps unsurprising, given that RSA is ultimately a marketing extravaganza. It’s an excellent place to get a feel for what’s ‘hot’, but it’s not likely to provide the most reliable information for your next security purchase. Fortunately, the security community surrounding the trade fair appears to understand this. No one doubts the importance of technology, but it is only useful insofar as it supports your security operations team and the professional management of your security.

Jeremy_ButcherJeremy Butcher, Fox-IT Director of Operations

RSA 2016: security heeft nog een lange weg te gaan

Wij stonden op de RSA conferentie in San Francisco van 29 februari tot 4 maart om te praten met onze Europese klanten. Jawel, er komen veel meer bezoekers uit Europa dan je zou denken. De RSA is dan ook de belangrijkste securitybeurs ter wereld. Toch gaat het niet zozeer om wat er op de beursvloer allemaal te zien is. De meetings daaromheen met securityverantwoordelijken van de meest uiteenlopende organisaties zijn nog interessanter. Dáár gebeurt het.

Integratie van oplossingen belangrijk

Wat elk jaar opvalt is de enorme kloof tussen wat er op de beursvloer allemaal wordt geclaimd en wat daarvan in de praktijk werkt. Pas in gesprekken rondom de beurs kom je te weten of dat ook zo is en waar in de praktijk echt behoefte aan is. Zo kom je op de beursvloer talloze oplossingen tegen die perfect in staat zijn om één specifiek soort aanval tegen te houden (of in elk geval claimen dat te zijn). Maar aangezien er talloze soorten aanvallen bestaan, zou je dus ook meerdere van die oplossingen moeten inzetten voor een goede beveiliging. Tja, daar gaan CISO’s natuurlijk niet voor. Voor hen is de uitdaging eerder integratie: de securityoplossingen die je wél hebt op zo’n manier inzetten, en de resultaten ervan op zo’n manier bij elkaar brengen, dat je team efficiënt en effectief een breed spectrum aan aanvallen kan tegengaan.

Kosten voor de hacker omhoog

Die integrale focus uit zich bijvoorbeeld in toenemende aandacht voor de economische aspecten van het hacken. Er zijn zelfs CISO’s die zich laten afrekenen op de mate waarin zij erin slagen de kosten van een inbraak voor een hacker omhoog te brengen en die zelfs zo ver gaan dat ze daar een concreet bedrag als persoonlijk target aan verbinden. CISO’s hebben daarom belangstelling voor middelen om de voor hackers simpelste – en dus goedkoopste – paden te blokkeren.

Intelligence-hype

Al een tijd is threat intelligence in opkomst: als je weet wie het op je gemunt heeft en hoe ze te werk gaan, dan zal je ze gemakkelijker vinden op je netwerk of in je systemen. Inmiddels is het aantal aanbieders van intel feeds – die in veel gevallen uit niet meer bestaan dan lijsten ‘foute’ IP adressen of file hashes – niet meer te tellen. Het gevolg is een hype-markt: de CISO verdrinkt in de inlichtingen, de ene feed na de ander zorgt voor een stortvloed waar niet meer mee te werken valt. Wat ik van de CISO’s hoor, is dat zij vooral veel minder technische informatie willen, maar juist méér context: wie zijn de mogelijke aanvallers, wat zijn hun drijfveren en waar hebben zij het op gemunt.

Eerste hulp bij paniek

Nog een behoefte die steeds meer partijen hebben, is hulp nadat een datalek is ontdekt. Meestal breekt eerst paniek uit, helemaal nu in Nederland de Meldplicht datalekken van kracht is. Er moet direct van alles in gang worden gezet: volgens de meldplicht moeten betrokkenen (bijvoorbeeld gebruikers of patiënten) worden ingelicht, de Autoriteit Persoonsgegevens moet de nodige informatie krijgen en ook technisch moet er van alles gebeuren. Door de paniek en de tijdsdruk is er grote behoefte aan expertise, maar ook aan tools die een organisatie hierbij ondersteunen, bijvoorbeeld door te zorgen dat zij kunnen aantonen dat het onderzoek van het incident volledig is en door te helpen alle informatie op tijd te verstrekken. Deze behoefte sluit ook aan op de gedachte dat 100% beveiliging niet mogelijk is. Ook als het mis gaat, moet de organisatie snel en adequaat kunnen reageren.

Grote cloudproviders serieus over datalocatie

Ook op andere vlakken is wet- en regelgeving een thema: na Safe Harbor neemt een aantal grote cloudproviders het nu serieus dat in Europa anders tegen privacy wordt aangekeken dan in de VS. Zij realiseren zich dat zij harde garanties moeten kunnen bieden over de locatie van de opgeslagen data. Nu gaat dit duidelijk in tegen de cloudgedachte dat locatie er niet meer toe doet, maar het besef daalt langzaam in dat er niet onder de Europese regelgeving is uit te komen.

Geen silver bullet

De RSA-beursvloer loopt over van beloftes van security ‘silver bullets’, of het nu machine learning, threat intelligence, APT defense of een andere hippe term is. Maar ik heb op deze RSA niet het wondermiddel gevonden waarmee beveiligers een grote voorsprong kunnen nemen op de aanvallers. Misschien niet verwonderlijk, want het is uiteindelijk een marketingfestijn: een uitstekende plek om de vibe mee te krijgen wat er ‘hot’ is, maar misschien niet direct de beste informatie voor je volgende security-aankoop. Gelukkig blijkt de securitycommunity rondom de beurs dat goed te begrijpen: natuurlijk is de techniek belangrijk, maar vooral voor zover die ondersteunend is voor je security operations team en professioneel management van je security.

Jeremy_ButcherJeremy Butcher, Director of Operations bij Fox-IT