Threat Lab

In light of the publicity, panic, and lingering despair around Spectre and Meltdown, I thought this might be a good time to clear up the differences between vulnerabilities, exploits, and malware. Neither Spectre nor Meltdown are exploits or malware. They are vulnerabilities. Vulnerabilities don’t hurt people, exploits and malware do. To understand this distinction, witness the CLIMB exploit:

The CLIMB Exploit

Frequently, when a vulnerability is exploited, the payload is malware. But the payload can be benign, or there may be no payload delivered at all. I once discovered a windows vulnerability, exploited the vulnerability, and was then able to deliver the payload. Here’s how that story goes:

It’s kind of embarrassing to admit, but one evening my wife and I went out to dinner, and upon returning, realized we had a problem. It wasn’t food poisoning. We were locked out of our house. The solution was to find a vulnerability, exploit it, and get into the house. The vulnerability I found was an insecure window on the ground floor.

With care I was able to push the window inward and sideways to open it. From the outside, I was able to bypass the clasp that should have held the window closed. Of course, the window was vulnerable for years, but nothing bad came of it. As long as nobody used (exploited) the vulnerability to gain unauthorized access to my home, there was no harm done. The vulnerability itself was not stealing things from my home. It was just there, inert. It’s not the vulnerability itself that hurts you. It’s the payload. Granted, the vulnerability is the enabler.

The window was vulnerable for years, but nothing bad happened. Nobody attacked me, and while the potential for attack was present, an attack (exploit) is not a vulnerability. The same can be true of vulnerabilities in software. Opening the window is where the exploit comes in.

My actual exploit occurred in two stages. First, there was proof of concept (POC). After multiple attempts, I was able to prove that the vulnerable window could be opened, even when a security device was present. Next, I needed to execute the Covert Lift Intrusion Motivated Breach (CLIMB) exploit. Yeah, that means I climbed into the open window, a neat little exploit with no coding required. I suppose I could have broken the window, but I really didn’t want to brick my own house (another vulnerability?).

Now we come to the payload. In this case, the payload was opening the door for my wife. You see, not all payloads are malicious. If a burglar had used the CLIMB exploit, they could have delivered a much more harmful payload. They could have washed the dishes (they wouldn’t, unless they were Sheldon Cooper), they could have stolen electronic items, or they could have planted incriminating evidence. The roof is the limit.

Not all vulnerabilities are as easy to exploit as others. All of my second-floor windows had the same vulnerability, but exploiting them would have been more difficult. I am sure happy that I found the vulnerability before a criminal did. Because I was forgetful that fateful night, I’m also happy the vulnerability was there when I found it. As I said, I really didn’t want to break my own window. By the way, I “patched” my windows vulnerability by placing a wooden dowel between the window and the wall.

There you have it. Vulnerabilities, exploits, and payloads explained through the lens of the classic CLIMB exploit.

NOTE: This blog post discusses active research by Webroot into an emerging threat. This information should be considered preliminary and will be updated as more data comes in.

New variants of Locky—Diablo and Lukitus—have surfaced from the ransomware family presumed by many to be dead. After rising to infamy as one of the first major forms of ransomware to achieve global success, Locky’s presence eventually faded. However, it appears this notorious attack is back with distribution through the Necurs botnet, one of the largest botnets in use today.

Webroot protects against Diablo and Lukitus

We first detected Diablo on August 9, 2017, and Lukitus yesterday, August 16. Since then, we’ve seen activity hitting Windows XP, Windows 7, and Windows 10 machines in the United States, United Kingdom, Italy, Sweden, China, Botswana, Russia, Netherlands, and Latvia.

How are these attacks deployed?

As with previous versions, the initial attack vector is through malspam campaigns in which phishing emails contain a zipped attachment with malicious javascript that downloads the Locky payload.

Once the Locky payload is dowloaded, it encrypts the users’ files with “.diablo6” and “.Lukitus”, respectively.

Then it changes the desktop background and provides the rescue pages “diablo6.htm” and “lukitus.htm”, which are identical.

Following what’s been standard for years, the Locky ransomware instructs the user to install a Tor Browser, then navigate to your unique .onion address to pay the ransom.

There is currently no available decryption tool that will work, other than paying the ransom to obtain the decryption keys. Although Webroot will stop this specific variant of Ransomware as a Service in real time—before any encryption takes place—don’t forget that the best protection in your anti-ransomware arsenal is a strong secure backup. You can use a cloud service or offline external storage, but remember to keep it up to date for personal productivity and business continuity.

For best practices for securing your environment against encrypting ransomware, see our community post.

Initial list of MD5s analyzed by Webroot

NOTE: This exhaustive list is current as of publication of this blog. We will continue to update internal lists but will not publish further additions until such time that we deem it necessary.

2E1A3A5F24AA6D725405E009949E6F0B

7821C8F49773EC65B9DFE8921693B130

544BC1C6ECD95D89D96B5E75C3121FEA

A2AEC1429D045355098355CAA371F23E

4779E473C909104272853EA1313BEE37

D7D22FFB1E746C20828422DA5CDF93DA

5245A7FA2351212EBF8257C55536791D

FE1CBC72C53AE7D8D16A5C943B5769FC

EA1832B7539BE8F265C08C0075CCB4DE

ACEA79268714A4752E3BF22161B90471

4BAA57A08C90B78D16C634C22385A748

0816080383AB3F33FEB9B6B51E854C73

0E05A7B9F1F2A19B678D2D92ABF70E47

F83DDED266CA056804BCC60EB998FA6C

4938F1D87F52473BC13C88498D6FC7AF

4BAA57A08C90B78D16C634C22385A748

F83DDED266CA056804BCC60EB998FA6C

8009E4433AAD21916A7761D374EE2BE9

E7E5628F67CB2FA99A829C5A044226A4

4BAA57A08C90B78D16C634C22385A748

3506AB24DB711CF76F95F89B4990981A

ECDAFEF0E38D2B5F24B806AF4FD54CC6

89ED8780CAE257293F610817D6BF1A2E

E613CF78955A4C1D8732B0ECB202CAEC

45021A1A159DEA9952AD3494B8D49852

993608B9AEA2B351E4BA883FEE8916B0

FBE9106026AF42CD24AB970ED718A579

23CCA546A85B5CAA12441F7F4C6B48E4

01DA2F592A64F2ABA0986319436177A5

96E214BAF7F26B879BAF0D87D830F916

040C537F575ED64374AB7F38F27E03F1

D3C856485116A09CAA37D867561BD634

BA82AA75BF6FC2549049877ACE505A24

9C6F2921CE536393198C605C15AE8C91

941CDFF8A86E56D11FCAF25CF7C2129B

Webroot SecureAnywhere® Business solutions will now give admins more ease of control within the Global Site Manager (GSM). From web overrides to Mac- and PC-specific enhancements, we’re delivering new features you asked for to ensure the best multi-vector protection possible.

Webroot protects endpoints against myriad threats at multiple attack stages spanning a variety of attack vectors. One way we do that is through Web Threat Shield evaluating the risk of a given website based on its history and association with other internet objects, i.e., its reputation.

Enable Web Overrides

We’ve released a GSM Console update giving admins the ability to configure create overrides on the default blocking behavior of Web Threat Shield. This ability to whitelist certain websites will give admins greater control and customization over which sites are allowed, in the event that a particular site with a lower reputation score is necessary to complete certain business tasks.

Mac-Specific Changes

An improvement you can expect to see over the coming weeks will be managing Mac endpoints via policy. Updating the Web Threat Shield browser plug-in for Mac is an important first step towards providing more similar experiences across Mac and Windows platforms.

Please notify your clients of this update

Due to security measures specific to Mac browsers, your clients may receive a message when the browser extension updates. When agents receive the update, the Safari and Chrome browsers will launch themselves. Safari will ask the user to indicate they trust the updated browser extension, while Chrome’s message will be purely informational and can be closed without further action. Firefox will wait until the user launches it to throw a notification for the new browser . View a video of the anticipated user experience here:

PC-Specific Changes

Throughout June and July 2017, Windows endpoints will also receive an update. The update will be largely silent; however, individuals with older versions of Firefox will experience a pop-up.

Based on customer feedback, we’ve reduced the number of risk levels from five to three. The new categories will be Trustworthy, Suspicious, and High Risk. Additionally, we will no longer block specific categories (e.g., “proxy”), and will instead block by reputation only. Finally, we will provide more straightforward explanations for why websites have been blocked.

To learn more about these updates, visit the following update bulletins:

• Enabling Web Over ride from the GSM Console: (GSM Console 0)
• Web Threat Shield 1.2.0.82 –
• Mac Browser Extension Update
• PC Agent 9.0.17.24 Update

Locky (.osiris)

O Locky, Locky! Wherefore art thou, Locky?

Alas, could Locky be no more? At the beginning of 2017, data from the field suggested potential Locky infections had decreased dramatically, so we were hoping it was on its way out. Unfortunately, Locky returned with a vengeance, though it had changed its methods somewhat. Upon further investigation, we located a number of binaries in %temp%, “a1.exe” and “a2.exe “, instantly seeing a connection to Nemucod; a name given to a family of Javascript droppers.

After additional research and decompiling several scripts, we’ve come to the conclusion that the same scripts used in previous months to distribute the .crypted “Nemucod” ransomware were suddenly downloading Locky and Kovter instead. Why the change?

Various online reports suggest that Necurs—a set of rootkit/botnet control servers—had gone offline. These were the same servers that sent out massive amounts of spam containing Locky droppers. Based on the information available, we think the bad guys changed their delivery method when these servers fell out of commission. (Incidentally, blocking the %temp% files blocks the infection, so we’re in a good position here!)

Nemucod

The Nemucod script developer used a simple script that runs another script which is then hosted on a compromised website. Those websites then randomize the contents of the script every few minutes. This means that security solutions that still use static signatures are often laughably ineffective at stopping these threats. The randomized website script is not part of the initial script, and is only readable via attachment to the WSCRIPT.exe process.

Initial script received via email:

As you can see, the script above uses “GET” to grab the response text from 1 of 5 compromised websites (var x) and evals that response text.

Sample response text from a compromised site:

When de-obfuscating scripts, I find it simpler to reverse the function used to evaluate the obfuscated content. I de-obfuscated this response script by using the initial script above with the previous function for the variable z2, which is actually eval, as follows:

was modified to

Here’s the final script, which downloads and runs the files (a1.exe and a2.exe).

Below is an example of the network traffic from this script, where the &r parameter is the downloaded payload.

CRYSIS

This ransomware is still only being distributed via compromised user accounts on RDP enabled machines. The most recently used extension is “.wallet” and it’s very common to see the ransom note email as *@india.com.

Below is a ransom note example:

Samples:

https://www.virustotal.com/en/file/31fc83f5e70515777fb4919cf249e3d2208895b96060f68a270f97377944b362/analysis/
https://virustotal.com/en/file/79b08105bbe4b7b407be42656f43c1533c725f951bc4f73c3aa9f3e68d2b3a15/analysis/

Spora

We discovered Spora last month, but data from the field suggests it isn’t too prevalent. The most common infection vector for Spora is Google Installer messages, which are displayed from third party advertisers while browsing the web. The total cost of all services is $120, which is significantly less costly than other ransomware variants, many of which demand at least 2 Bitcoins.

The image below illustrates the different prices for various services.

It also attempts to clear shadow copies via vssadmin.

SAMAS

This ransomware is distributed via compromised JBOSS servers and usually propagates to every system on a network. The most recently used extension is an ironic “.weareyourfriends”. It usually installs in %System32%, since it is typically runs with administrative rights.

Ransomware Staging Tool

Script kiddies looking to make some money need look no further. This ransomware staging tool is exactly what it sounds like: a utility where you just enter your information, browse the folders you want to encrypt, and wait for the money to roll in! We’ve seen a number of variants similar to the binary below. This is so new that it doesn’t yet have its own name, but all variants have been found on compromised RDP systems.

Statistics

Over the last couple of months, the data we’ve seen underscores how important it is for system admins to secure RDP. Unsecured RDP essentially leaves the front door open for cybercriminals. And since modern criminals can just encrypt your data, instead of having to go through the trouble of stealing it, we shouldn’t make it any easier for them to get what they want.

The benefits of adopting the managed service provider (MSP) business model are compelling. After all, predictable, recurring revenue; deeper engagement with clients; and a trusted advisor relationship that generates further business opportunities all sound like everything a successful services business could want. However, for some, it still means braving uncharted territory.

Important Considerations

IT solutions providers interested in switching to the MSP model face a number of decisions. Before you do anything else, you have to define your service offerings. There are so many companies who offer products in the primary MSP categories, so it’s important to take your time in performing a detailed analysis of the pros and cons of various products.

• Automation
  Plain and simple, you need automation tools. These include professional services automation (PSA) and remote monitoring and management (RMM) software, which are the backbone of every MSP’s business. Pay close attention not to just features, but the pricing structure and integrations with the other tools you plan to use.
• Timing
  Another challenge can be finding the right timing to migrate existing customers. The process of transitioning current customers can be a minefield of logistical issues, particularly if those customers purchased different products on a staggered schedule. In those cases, you must consider not just what your full managed services offering will look like, but how to get existing customers onto a monthly bundle.

Differentiating Your Business

Remote monitoring is a standard part of the traditional MSP portfolio. Disaster recovery, such as a secure backup system, is also a leading service to pitch to customers, since disasters of all types can hit an organization at any time, and have the potential to cripple their business operations. So what’s going to make you stand out? You might not think so, but many MSPs are leading with another equally important service: endpoint security.

Computers, mobile devices, and servers will always need protection, but modern businesses face a variety of new challenges. Cybercriminals have only increased their efforts at causing mischief, launching new and creative ransomware with startling frequency at companies around the globe. Additionally, many organizations in the healthcare, financial, and retail segments have compliance mandates for handling sensitive data, which typically include endpoint security. In short, the time is right for starting a conversation about security.

Selecting Cybersecurity

The MSP model is about efficiency gains, so choose a provider that helps reduce your TCO. Look for a security offering that doesn’t need a local server, offers flexible monthly billing, and consider a solution that’s cloud-based so it won’t impact system performance. The security application you choose should be effective, lightweight, and have no noticeable impact when running.

Should disaster strike, it’s also very important to have a solution that can remediate systems automatically, reducing the burden on your IT staff. On the topic reducing burdens, the solution should also include PSA or RMM integration, or a management console that can automate routine tasks and give you the granular visibility you need to oversee all your customers in one place.

Making the Switch to the MSP Model

While adding managed services might seem daunting, it’s a powerful way for resellers to add new revenue streams to the business while transitioning into a hybrid or full MSP model. Keeping costs down on monthly contracts gives MSPs a big advantage today, and if the managed services model didn’t work for both customers and IT solution providers, it wouldn’t have seen the adoption and success it has experienced in recent years. Although the transition isn’t easy, it holds a lot of promise. IT solution providers in transition can rest assured that their best and most profitable years are ahead.

Read this case study to find out how SLPowers, an MSP managing 76 different companies with over 2,000 endpoints, got its start in the reseller realm, moved to managed services, and leveraged next-generation endpoint protection to improve customer satisfaction, lower costs, and increase profitability

Or, take a free, no-risk, no-conflict 30-day trial of Webroot SecureAnywhere Business Endpoint Protection with the Global Site Manager to see the solution SLPowers chose in action.

Ransomware as a Service (RaaS) has been growing steadily since it made its debut in 2015 with Tox. With the new Satan service, it’s easier than ever. The idea is to use this web portal to contract threat actors to create new ransomware samples for distribution via the desired attack vector. This allows any potential cybercriminal, regardless of their skill or coding knowledge, to upgrade to an encrypting ransomware business model.

Those who join the program have a number of viewing options in the portal. The Account panel shows various stats, including how much money has been made, infection count, current share percentage, etc.

All a criminal needs to do is enter a few simple pieces of information to generate brand new malware that’s ready to infect victims. Note that the portal author specifically requests downloaded samples not be shared with VirusTotal, decreasing the likelihood that security vendors will have encountered the variant.

Since the darknet web portal creator takes a 30% cut of all ransoms, it’s in his best interests to make sure as many victims are infected as possible. He provides a guide with step-by-steps instructions on how to deploy malware using obfuscation techniques to avoid detection.

The author also advertises his web portal on underground forums, and explains the payload and the payout scheme. After all, affiliates’ success means he gets a bigger cut.

Although Webroot will catch this specific variant of ransomware as a service in real time before any encryption takes place, don’t forget that the best protection in your anti-ransomware arsenal is a good backup solution. You can use a cloud service or offline external storage, but keeping it up to date is crucial for business continuity.

For best practices for securing your environment against encrypting ransomware, see our community post.

By now, everybody has probably heard of CryptoLocker. It makes sense that CryptoLocker would get a fair amount of media attention, since it’s been involved in several high-profile hacks, but there are a number of other players on the ransomware stage that deserve a place of distinction among the list of players. Managed service providers (MSPs) like you know the value of staying up to date on the variety of different types of threats—in addition to their individual stats and characteristics—to keep clients safe.

Cast of Ransomare Players

1. CryptoWall 4.0 

   A bit like the Barrymores, the Sheens, the Coppolas, (the Kardashians?), the CryptoWall family gets more media coverage with every generation. Following in the family tradition, CryptoWall 4.0 uses phishing emails for distribution. This is hardly a surprise, since phishing is still the single most effective way to drop a malware payload. But CryptoWall 4.0 marches to the beat of its own drum; not only are the victim’s files encrypted, this ransomware randomizes the filenames so the victim can no longer tell which file is which. By fanning the flames to create confusion around how much file damage there actually is, the new CryptoWall increases its chances that victims will pay up.

   Additionally, CryptoWall 4.0 includes a free decrypt video to convince victims that the decryption steps they need to get their files back is effortless, and that handing over the ransom will get them their files back.

   • Phishing email attachment is source of payload
   • Randomizes victim’s filenames to create confusion
   • Offers free decrypt demo to add credibility

2. PadCrypt 

   Rather than hiding out and concealing its plans, what makes PadCrypt different from its contemporaries is its willingness to interact with the public. Embedded into the “product”, PadCrypt includes a chat interface. The ransom process of setting up a Bitcoin wallet, filling it with bitcoins, and sending payment can be complicated. By offering this chat feature, PadCrypt lends a more human support element to the ransomware process, providing so-called support to its victims. (How sweet!)

   • First ransomware with chat support
   • Communicates via Darknet to avoid being traced
   • “Helps” even less savvy victims pay up

3. TeslaCrypt 

   Because it targeted gamers specifically and encrypted the files they need for their games, TeslaCrypt is more of what you’d call a cult fave. The files it takes hostage included saves, mods, and profiles. But since TeslaCrypt was being sold by non-authors on the Darknet, the original authors leaked the master decryption key to the public to permanently diffuse the threat. While it’s laying low for now, we wouldn’t be surprised if TeslaCrypt showed up again next season.

   • Accounted for ~11% of distributed ransomware
   • Attacked over 200 extensions on newer variants
   • Targeted gamers (Valve, Bethesda, Unreal Engine files)
   • Circumvented 3rd party defense to deliver polymorphic payloads at root level

4. RaaS (Ransomware-as-a-Service) 

   Not an actor, per se, but RaaS is more like a local theater company that encourages audience participation. Created for criminals by criminals, it opens up the ransomware stage to hackers of all skill levels. Thanks to RaaS, almost anyone can distribute encrypting ransomware payloads of their own design. In return, hackers pay for the service by sharing a cut of their spoils with the original author.

   • Enables almost anyone to make ransomware
   • Portal for malware generation is exclusively in Darknet (typically invite-only)
   • Intended for less-skilled cybercriminals who rent botnets
   • The malware author who created the portal takes a commission

 Conclusion

Even though the number of ransomware stars keeps growing, and their methods keep getting more diverse and advanced, managed service providers (MSPs) can take steps to maximize defense and help clients stay ahead. Keeping yourself and your customers in the know about the latest tactics and types of exploits favored by today’s ransomware is vital—as well as putting together an all-star cast with next-generation endpoint protection that utilizes collective threat intelligence to proactively protect against the rising stars of malware.

Next Steps: Want to find out if Webroot has what it takes to protect your customers? See for yourself with a no-risk FREE trial. You don’t even have to uninstall existing security. Want to learn more about how Webroot partners with MSPs to delight customers, lower costs, and boost profits? Learn more.

Did we get you to click? That’s how the bad guys get you, too. One little click on the wrong link and your clients’ businesses could be up the proverbial creek.

Theft only comprises one aspect of the activities cybercriminals undertake, but it’s a sizeable chunk of their enterprise. What’s worth noting is what the thieves are stealing. The majority of cybercrime is focused on stealing data with the intent of selling it for profit to a third party, but what keeps one little malware family in the headlines is how differently it plays the game. In a recent conversation between Webroot Chief Technical Officer and rocket scientist Hal Lonas and Penton Technology Market Analyst Ryan Morris, we can see how ransomware is rewriting all the rules.

During the discussion, Lonas noted, “the bad guys used to want your data because it was valuable to them. If [they] could get your credit card number or your identity or a secret from your company, [they] could go sell that.”

When Morris asked what makes ransomware different, Lonas had this to say: “The interesting thing about ransomware is that criminals are now saying, ‘Your data is valuable not to me, the bad guy, but to you. How much is your data worth to you?’ They’re betting that you don’t have any backup and protection in place, so their angle is to take your data and hold it for ransom until you decide what the value is, and then you pay them.” So, while conventional security threats may steal information to sell down the line, what sets ransomware apart is that it seeks to extort money from the victimized company itself.

Morris responded that he’s heard about modern companies with robust security operations run by professional in-house InfoSec teams who, as recently as this year, have paid ransoms. “That blew my mind,” he stated. “I, perhaps naively, thought we’d solved these types of problems.”

Layered Security is the Game Changer in Fighting Ransomware

The question is: if even large businesses with high-powered, fully-staffed dedicated IT departments are having a hard time with these threats, what hope do smaller businesses and the managed service providers (MSPs) they trust to secure them have to fight back against ransomware?

Morris raised the questions, “How can we win the battle in the ransomware universe? What preventive steps should we take, and what ongoing measures should MSPs and end users implement to protect themselves from ransomware threats?”

Lonas cited these key strategies for a solid cybersecurity defense:

“Investing in backups and data security is of paramount importance. That’s hardly new advice. It applies to everything from business security to homeowner’s insurance. But, with a threat like ransomware on the loose, it’s more crucial than ever to make sure our data is securely backed up and that we can recover it quickly, easily and in its entirety. We also have to test the backups; spend a little extra time and money verifying that the recovery systems are going to work.

“From there, we need to make sure we have a multi-level security approach in place. We’ve talked about this for years—the layered security approach—to ensure that malware and other types of breaches don’t get through, and each new attack vector can mean a new layer. Sometimes this causes redundancy, but as long as the various layers work in harmony, they provide comprehensive security that can prevent breaches. Firewalls, next-generation firewalls, web filtering, proxies, VPNs… we have to ensure all of those protection layers are deployed.”

As he continued, Lonas made sure to emphasize the importance of endpoint security. “We have to have world-class endpoint security on all of our machines: the Windows machines, the Apple machines, and the mobile devices, including bring-your-own-device.” According to Lonas, every device that could conceivably connect to a network needs protection so that it doesn’t become the gateway for cybercriminals to infiltrate an organization.

The More Your Clients Know…

Finally, user education is critical. Lonas concluded his recommendations by stating that users need to be aware of the types of threats they’re going to face, the various kinds of phishing attacks, fake messages, emails, and even phone calls they might get from people claiming to be tech support personnel who just need a password to make a quick update. “Bad guys are always figuring out new ways to get to us,” he warns. “The combination of layered security that covers all potential threat vectors, solid backup and recovery strategies, and user education is the only way companies can protect themselves, their employees, and their customers from ransomware.” Existing Webroot MSPs can take advantage of the tools and content available in the ChannelEdge Toolkit and use it educate and inform their clients on threat protection and industry best practices.

Get Ready, Get Set, Take Action

Adopt a next-generation endpoint security solution that uses advanced behavioral technology and real-time detection to keep users safe. Take a 30-day FREE trial of Webroot SecureAnywhere® Business Endpoint Protection—no risk, no obligation to buy. You don’t even have to uninstall existing security.

For many years now, Microsoft has offered a system with Windows that allows you to take control of another machine. This has been invaluable for system admins that need to control servers and other Windows machines, without having to run around from office to office or site to site. Easy takeover of machines does come with risks. The protocol known as Remote Desktop Protocol (RDP) and the Remote Desktop Connection software that relies on it are often victims of simple attacks. These attacks have been on the rise in recent years and are extremely popular at the moment, as they are enticing for cyber criminals that seek to compromise the admins and machines that control whole organizations.

How is Remote Desktop Protocol a security risk?

RDP often uses a particular port that is easy to locate in a scan. And unfortunately, the default account username for an admin is often Administrator. While it’s no secret that having a poor password policy is not ideal for server security, it’s worth reiterating here it can mean that hackers can try huge amounts of passwords before anyone is alerted or an account is locked out.

Once an intruder gets admin access, they can deliver specialized malware or remote access tools that can often be almost impossible for any security solution to detect. With admin privileges and route access to the desktop, maximum damage can be done. This stresses the importance of endpoint protection, as well as policies, monitoring, logging, backups and incident response.

How to protect & secure your organization from Remote Desktop attacks

Preventing such brute force attacks isn’t as complicated as it may seem. You can employ a few easy actions to keep your organization safe:

Prevent scanning for an open port

• Change default RDP port from 3389 to another unused port
• Block RDP (port 3389) via firewall
• Restrict RDP to a whitelisted IP range

Prevent attackers from gaining access if RDP is enabled

• Create a Group Policy Object (GPO) to enforce strong password policy (GPOs are important and should be common practice for your organization)

Optional

• Require two-factor authentication

Getting to the bottom of suspicious activity is vitally important and our team is here to help. Contact us today or learn more about our full suite of business cybersecurity solutions.

Recently, source code for the Internet of Things (IoT) botnet malware, Mirai, was released on hack forums. This type of malware was used last month in an historic distributed-denial-of-service (DDoS) attack against KrebsOnSecurity, which was estimated to have sent 650 gigabits per second of traffic from unsecured routers, IP cameras, DVRs and more to shut down the domain. Thanks to DDoS prevention measures by engineers at Akamai, the company protecting Krebs, the attack was unsuccessful; however, they report that this attack was nearly double the size of the largest one they’d previously seen.

Now that this malware is released publicly, we can expect to see more DDOS attacks coming from botnets such as unsecured routers and other IoT devices. For those wondering who would leave the default firmware username and password on their devices, the answer is “millions of people.” In fact, using Telnet alone (TCP/IP protocol for remote access), Mirai-author, Anna-senpai, reported “I usually pull max 380k bots.” It’s worth noting that many are saying Mirai wasn’t the only malware variant involved in the attack. Level 3 Communications reported that the Bashlight botnet may have played a part, as well.

How the Mirai attack worked

Mirai continuously scans the internet for IoT devices and logs into them using the factory default or hard-coded usernames and passwords.

Once infected, the devices connect to command and control servers to gather details of the attack and target. They then produce large amounts of network traffic—spoofed to look legitimate—at the target servers. With hundreds of thousands of these running in tandem, it’s not hard to shut down most sites. These devices-turned-botnet will still function correctly for the unsuspecting owner, apart from the occasional sluggish bandwidth, and their botnet behavior may go unnoticed indefinitely.

Infected systems can be cleaned by rebooting them, but since scanning for these devices happens at a constant rate, it’s possible for them to be reinfected within minutes of a reboot. This means users have to change the default password immediately after rebooting, or prevent the device from accessing the internet until they can reset the firmware and change the password locally. If you’re taking these steps, make sure to no longer use Telnet, FTP, or HTTP, and instead use their encrypted counterparts SSH, SFTP, and HTTPS.

The underlying problem is that IoT manufacturers are only designing the devices for functionality and aren’t investing in proper security testing. Right now, it’s up to the consumer to scrutinize the security on any devices they use. In the future, some kind of vendor regulation may be necessary.

Hack forums have removed the published code, but it’s still available here.