What is Remote Desktop Protocol (RDP)?

Remote Desktop Protocol (RDP) – a technical standard that enables remote use of desktop computers. Among the protocols available for remote desktop software, RDP, Independent Computing Architecture (ICA), and virtual network computing (VNC) are the most commonly used. Microsoft initially released RDP, which is compatible with most Windows operating systems. But can also be used with Mac operating systems.

What is a Honeypot?

Honeypot – is a system set up at the endpoint to monitor incoming connections and application activities. It mimics the original endpoint to detect potential malicious activities and enable security systems and experts to take countermeasures. Examples of honeypots include internal servers, network computers, and website servers that can attract cyber criminals.

The purpose of a honeypot is to divert and distract attackers away from actual critical systems while providing valuable insights into their behavior, techniques, and motives. Organizations can enhance their security by examining the tactics, techniques, and procedures (TTPs) used by attackers. It helps them recognize potential threats. As you may suppose by the name, RDP honeypot is one that resemples a normal connection through the remote desktop protocol.

Hackers’ Attacks on RDP Honeypot

Through an experiment using high-interaction honeypots with an RDP connection accessible from the public web, GoSecure, a threat hunting and response company with headquarters in the U.S. and Canada, they have discovered that attackers operate within a daily schedule, much like working office hours. Over three months, the researchers recorded nearly 3.5 million login attempts to their RDP honeypot system, highlighting the relentless nature of these attackers.

What do the experts say?

Cybersecurity researchers inform that the honeypots are directly linked to a research program to expose criminals’ strategies that could help prevent them in the future. Between July 1 and September 30, 2022, the honeypot attacked 3,427,611 times from over 1,500 IP addresses. The researchers named the system to entice attackers so criminals would think it was part of the bank’s network.

The attempts to compromise the system were predictable, involving brute-force attacks that relied on multiple dictionaries. The most commonly used username was "Administrator", along with variations such as shortened versions, different languages, or letter cases. In roughly 60,000 instances, the perpetrator conducted preliminary research before attempting to discover the correct login information and tested usernames that did not belong in the given set.

In the image above, researchers found three unique usernames associated with the honeypot system – the names of the RDP certificate, the host, and the hosting provider. These usernames appeared among the top 12 attempted login names, indicating that some hackers were not unthinkingly testing login credentials but were gathering information about the victim beforehand.

The researchers also discovered that the system had collected password hashes and was able to decrypt weaker ones. Their findings revealed that the most common strategy used by the hackers was to create variations of the RDP certificate, followed by variations of the word "password" and simple strings of up to ten digits.

Interesting RDP Honeypot statistics

It’s worth noting that the RDP certificate name was only used in RDP honeypot attack attempts from IP addresses in China (98%) and Russia (2%). However, this doesn’t necessarily imply that the attackers are from these countries but that they utilize infrastructure in these regions. Another observation is that a significant number of attackers (15%) employed thousands of passwords in combination with just five usernames.

What then?

All this information gives quite a view of what is happening in a modern threat landscape. Despite the numerous other ways to infect the system, hackers still prefer RDP. The technology is easy to exploit, so even unskilled attackers will perform the attack fine. Brute force utilities and the databases with credentials are easily accessible. And such popularity is a straightforward reason to ensure your RDP connections are safe.

There are several ways to mitigate known RDP vulnerabilities, and the easiest among them is to close the vulnerable port of this networking protocol. Though there could be more convenient and flexible solutions – consider reading our research on securing RDP protocol.

The post RDP Honeypot Was Attacked 3.5 Million Times appeared first on Gridinsoft Blog.

What is BlackCat Ransomware?

The cybercriminals use ALPHV (BlackCat), a sophisticated ransomware-type program written in the Rust programming language, for their operations. It is distributed as Ransomware-as-a-Service (RaaS) model, encrypts data by locking files, and actively demands payment for decryption. In most cases, the malicious actors responsible for this type of malware rename the encrypted files by appending them with specific extensions. Since the software is distributed as a service, the name of the blocked file extensions depends on the current attackers.

Though, these details are quite trivial for any successful modern ransomware group. More interesting details about BlackCat include their unique approach towards spreading methods and rough behavior when it comes to data publication. The latter, actually, is done on a clear web site, instead of a more regular Darknet page. Moreover, these hackers were among the first who used so-called triple extortion – asking additional money to keep the attack fact in secret.

BlackCat’s level up

BlackCat gained notoriety almost immediately after its launch in November 2021. It was regularly at the top of the most active ransomware groups and was associated with the now-defunct BlackMatter. /DarkSide ransomware. In addition, in 2022 BlackCat switched to the Rust programming language. This gave the customization provided by this language and the ability to bypass malware detection and analysis. However, even after a year and a half, there is no hint that BlackCat’s career is nearing its end.

Over the last six months, BlackCat has been constantly improving its tools. They have abused the functionality of Group Policy Objects to deploy tools and interfere with security measures. For example, attackers may try to increase the speed of their operations by changing the default Group Policy update time, thereby shortening the time between the changes taking effect and the defenders being able to react.

In addition, BlackCat ransomware operators are deploying a double extortion scheme, using tools for both data encryption and theft. One tool, ExMatter, was used to exfiltrate multiple terabytes of data from victims to the attackers’ infrastructure. One BlackCat affiliate exclusively uses this tool, tracked by Microsoft as DEV-0504. The attackers frequently post stolen data publicly on their official leak site. They are doing that for one reason – to pressure their extortion victims.

New version of BlackCat

A new version of BlackCat, called Sphynx, was also observed by IBM X-Force. It was announced in February 2023 and has updated capabilities that make it harder to detect. Sphynx differs significantly from previous variants. For example, reworking the command line arguments and using raw structures instead of JSON formatting for configuration data. This makes it harder to detect and analyze the ransomware. The BlackCat group has stated that it was a global update and it was done to optimize detection by AV/EDR. In short, the BlackCat Sphynx Loader is an obfuscated loader that decrypts strings and payloads upon execution. It conducts network discovery activities and creates a ransom note in encrypted files. The BlackCat ransomware sample may also function as a toolkit based on tools from Impacket.

How does it work?

Initial access and privilege escalation

Researchers tend to believe that attackers used valid credentials obtained through Raccoon and Vidar stealers in the earliest stages. After successfully penetrating a network, attackers use PowerShell and the command line to gather information. In particular, they are interested in information about user accounts, domain computers, and permissions. As a result, they use the PowerShell code associated with “PowerSploit” to obtain domain administrator credentials.

Defense Evasion and Lateral Movement

Next, the attackers use Remote Desktop Protocol (RDP) to move around the network. Using credentials for accounts with administrative privileges, they authenticate to domain controllers. Eventually, they modify the default domain group policy object (GPO). These actions allow them to disable security controls, Microsoft Defender, system monitoring, security, and notifications. In addition, attackers edit the default domain group policy settings.

Exfiltration and self-destruction

As mentioned above – BlackCat extracts data using ExMatter before launching the ransomware. This malware installs itself as a service in the system registry section in the following key. Then, a secure file transfer protocol and WebDAV send the stolen data to the attacker’s infrastructure. After exfiltrating the data, Exmatter launches a specific process to remove all its traces.

BlackCat vs. Linux

In addition to attacking Windows systems, BlackCat affiliates can attack unix systems. In this case, the payload is deployed on ESXIi hosts with virtual machines using WinSCP. The attackers then access the hosts using PuTTY to run the ransomware. Releasing malware versions adjusted to attack Linux systems appears to be a new trend among cybercriminals – and it should not be ignored.

How to Protect Against BlackCat Ransomware Attacks

• Educating employees. Educating employees is crucial to safeguard against ransomware like BlackCat. Training them on identifying phishing emails, avoiding suspicious links and attachments, keeping software updated, and reporting any suspicious activity to IT or security personnel can reduce the risk of an attack. Regular security awareness training can inform employees about the latest threats and best practices.
• Encrypting sensitive data. Encrypting sensitive data is an effective way to protect against BlackCat ransomware and other malware. This involves converting the data into a code requiring a decryption key. Financial records, personal information, and important files should always be encrypted. Access controls should also be implemented to restrict who can view or modify the data. By encrypting sensitive data and implementing access controls, businesses can significantly reduce the risk of attack and potential impact.
• Backup data. Backing up and storing your data offline is the best way to keep and protect your files from any ransomware and other malware. We recommend storing a copy of essential files in a separate location. For example, you can use an external or cloud storage. If infected, you can erase files and restore data from the backup. Keep backups secure by storing them in a location physically separate from your computer or using a reputable cloud storage service with strong security and encryption.

These were the main ways to prevent negative consequences. But in addition, it is essential to use multi-factor authentication, use strong passwords, Install updates, Monitor network traffic, and Monitor file and folder activity.

The post BlackCat Ransomware New Update Boosts Exfiltration Speed appeared first on Gridinsoft Blog.

The RCE vulnerability CVE-2022-21893 was fixed on January 2022 Patch Tuesday, but the attack vector was not fixed. In April 2022, Microsoft already fixed the new bug CVE-2022-24533.

Let me remind you that we wrote that Sarwent malware opens RDP ports on infected machines, and also that Information Security Specialists Discovered a 0-day Vulnerability in Windows Search.

CVE-2022-21893 is a Windows Remote Desktop Services (RDS) vulnerability that could allow an unprivileged user via RDP to access the file system of connected users’ devices.

The vulnerability allows an attacker to view and modify the contents of the clipboard, sent files, and smart card PINs. An attacker can impersonate a logged in user and gain access to the victim’s connected devices (USB devices, hard drives, etc.).

According to the researchers, the vulnerability exists due to improper handling of RDS named pipe permissions, which allows a user with normal privileges to “hijack RDP virtual channels in other connected sessions.”

Microsoft changed the permissions on pipes and prevented the regular user from creating named pipe servers. However, this did not remove the user’s ability to set permissions for subsequent instances. After the April fix, a new Globally Unique Identifier (GUID) is generated for new channels that prevents an attacker from predicting the name of the next channel.

At the moment, there are no vulnerabilities, and users are safe. Experts recommended updating the service to the latest version to ensure data protection.

The post Microsoft Has Already Patched a Vulnerability in Windows RDP Twice appeared first on Gridinsoft Blog.

The first attacks were recorded by specialists from Check Point at the end of October this year, and now their number has increased.

According to experts, criminals usually carry out attacks after midnight, when companies have fewer IT workers. The Pay2Key malware allegedly infiltrates the network of organizations through a weakly secured RDP (Remote Desktop Protocol) connection. Attackers gain access to corporate networks “some time before the attack,” and malware can encrypt the victim’s network in an hour.

Having penetrated the local network, hackers install a proxy server on one of the devices to ensure that all copies of the malware are connected to the C&C server. The payload (Cobalt.Client.exe) is launched remotely using the legitimate PsExec utility.

Numerous compilation artifacts indicate that the ransomware has another name – Cobalt (not to be confused with Cobalt Strike).

Although the identity of the attackers remains unknown, the language in the various lines of code written in poor English suggests that the attacker is not a native English speaker.

The new ransomware is written in C++ and has no analogues in the darknet market. It encrypts files with the AES key, and uses RSA keys to communicate with the C&C server. In the same way, Pay2Key receives a configuration file with a list of extensions for encryption, a template for a ransom message, etc.

Once encryption is complete, ransom notes remain in compromised systems. The Pay2Key grouping usually requires a ransom of 7 to 9 bitcoins (roughly $110 to $140k). The criminals’ encryption scheme looks solid (using AES and RSA algorithms) and unfortunately experts have not been able to develop a free version of the decryptor for victims yet.

Let me remind you that recently Ragnar Locker ransomware attacked Italian beverage manufacturer Gruppo Campari, and this is just one of the most “delicious” news in recent years.

The post New Pay2Key ransomware encrypts corporate networks in just an hour appeared first on Gridinsoft Blog.

Sarwent is a not-so-famous backdoor trojan, active since 2018. Previous versions of malware had a very limited set of functions, for example, they could download and install other malware on compromised computers.

“Sarwent has received little attention from researchers, but this backdoor malware is still being actively developed, and enforced with new commands. Updates to Sarwent malware show a continued interest in backdoor functionality such as executing PowerShell commands. Updates also show a preference for using RDP. Sarwent has been seen using the same binary signer as at least one TrickBot operator”, — write SentinelOne researchers.

However, the more recent Sarwent variation has received two important updates.

First, the malware “learned” to execute custom CLI commands using Windows Command Prompt and PowerShell. Secondly, Sarwent now creates a new Windows user account on infected machines, enables the RDP service, and then makes changes to the Windows Firewall settings to allow external access through RDP to the infected host.

In fact, this means that Sarwent operators can use the created account to access the infected host and will not be blocked by the local firewall.

Researchers note that so far the new version of Sarwent has been found only as a secondary infection when computers were infected with another malware, for example, Predator the Thief.

It is not yet clear what Sarwent operators do with RDP access on infected hosts.

“Typically, this evolution of the malware indicates a hacker’s desire to monetize the malware with new methods, or the new functionality may be determined by the needs of the customers of the attackers”, – write the researchers.

That is, the group standing behind Sarwent can independently use RDP access (for example, to steal proprietary data or deploy ransomware), or hackers can rent RDP access to infected hosts to other criminals.

There is also a possibility that RDP endpoints are put up for sale on special trading platforms where they trade access to hacked networks and machines (an example can be seen below).

Let me remind you that due to pandemic, RDP and VPN usage grew by 41% and 33%.

The post Sarwent malware opens RDP ports on infected machines appeared first on Gridinsoft Blog.

According to statistics from the Shodan search engine, by last Sunday, March 29, 2020, the number of RDP endpoints increased from 3,000,000 at the beginning of the year to almost 4,400,000. These data include only endpoints running on the standard RDP 3389 port.

“A similar surge of activity is also observed on port 3388, which is regularly use system administrators to protect RDPs from attacks. In this case, activity increased by 36.8% (from 60,000 at the beginning of the year to 80,000 now)”, – says John Matherly, the founder and head of Shodan.

Similarly is growing the number of different servers using VPN protocols, such as IKE and PPTP: from 7,500,000 to almost 10,000,000 to date.

However, these figures reflect the situation only with corporate VPN servers, while the use of consumer-level VPNs is also growing rapidly. The fact is that as majority users are now stuck at home, they are increasingly resorting to use VPN applications to bypass geographic blocking.

For example, last week, NordVPN developers reported that since March 11, the number of users has grown by 165%, while Atlas VPN speaks of a 124% increase in VPN usage among US users only.

These data are also confirm representatives of the Top10VPN website, which note the growth of the entire market and, in particular, record a 65% increase in demand for VPNs in the USA (compared to the previous quarter).

“We’ve observed significant growth in other protocols (HTTPS) but one of the important areas where we’ve seen a worrying increase in exposure is for industrial control systems (ICS). The growth (16.4%) is not as large as for other protocols but these are ICS protocols that don’t have any authentication or security measures. We had actually seen a stagnation in the ICS exposure up until now. And there have been significant advancements in OT security so there are plenty of secure options to choose from”, — reports John Matherly.

This data is not surprising, Shodan only confirmed the reflection of the Internet during the pandemic. But it also indicates increased risks: the most popular vectors of attacks, according to the report of FireEye company, were brute force attacks on open RDP ports aimed at phishing employees.

The post Due to pandemic, RDP and VPN usage grew by 41% and 33% appeared first on Gridinsoft Blog.

This data is based on dozens of ransomware incident investigations from 2017 to 2019.

“In 76% of incidents we reviewed, ransomware was executed in victim environments after hours, that is, on a weekend or before 8:00 a.m. or after 6:00 p.m. on a weekday, using the time zone and customary work week of the victim organization. This observation underscores that threat actors continue working even when most employees may not be”, — said FireEye specialists.

Such statistic is easily explainable, and in most companies there is simply no IT staff who would be on duty at night and on weekends. So, if there is no one to quickly respond to the attack, then attackers have good chances that the encryption process will have time to finish seamlessly on machines throughout the company’s network.

Researchers write that, as a rule, ransomware operators penetrate company networks in advance (as, for example, in the case of an attack on Epiq Global), then spend time on side movements to gain access to the maximum number of workstations, and only then manually install malware on all systems and start the encryption process.

“In other cases, attackers linked ransomware deployment to user actions. For example, in 2019 incidents at retail and professional services firms, attackers created an Active Directory Group Policy Object to trigger ransomware execution based on user log on and log off”, — explain FireEye specialists.

According to FireEye, the time from the initial compromise to the actual attack is on average three days.

As mentioned above, today ransomware attacks are started manually by attackers, but not automatically: most hackers carefully control their malware, and carefully choose when the most suitable time to attack and disable the network.

According to FireEye estimates, since 2017 the number of such people-driven ransomware attacks has increased by a huge 860%, that is, now such incidents affect all sectors and all geographical areas, and not just companies from North America.

The most popular vectors of such attacks, according to the report, were brute force attacks on open RDP ports aimed at phishing employees, pirated software, drive-by attacks, as well as using one infected host to spread the malware to others.

The good news is that particularly with post-compromise infections, there is often a window of time between the first malicious action and ransomware deployment. If network defenders can detect and remediate the initial compromise quickly, it is possible to avoid the significant damage and cost of a ransomware infection.

The post Ransomware attacks most often occur at night and on weekends appeared first on Gridinsoft Blog.