Story image

Brute force RDP attacks plant CRYSIS ransomware in ANZ region

13 Feb 17

In September 2016, we noticed that operators of the updated CRYSIS ransomware family (detected as RANSOM_CRYSIS) were targeting Australia and New Zealand businesses via remote desktop (RDP) brute force attacks. Since then, brute force RDP attacks are still ongoing, affecting both SMEs and large enterprises across the globe. In fact, the volume of these attacks doubled in January 2017 from a comparable period in late 2016. While a wide variety of sectors have been affected, the most consistent target has been the healthcare sector in the United States.

We believe that the same group of attackers is behind the earlier attacks and the current campaign. The file names being used are consistent within each region. Other parts of this attack—such as where the malicious files are dropped onto the compromised machine—are also consistent.

As we originally observed, during the RDP session a folder shared on the remote PC was used to transfer malware from the attacker machine:

In some cases, the clipboard was also used to transfer files:

Both methods expose the local resources of the attacker to the remote machine, and vice-versa. By default, there are no applied restrictions to these RDP features on an endpoint that is exposed to the internet and it is up to the administrator to apply controls.

The attacker tries to log in using various commonly-used usernames and passwords. Once the attacker has determined the correct username and password combination, he (or she) usually comes back multiple times within a short period to try and infect the endpoint. These repeated attempts are usually successful within a matter of minutes.

In one particular case, we saw CRYSIS deployed six times (packed different ways) on an endpoint within a span of 10 minutes. When we went over the files that were copied, they were created at various times during a 30-day period starting from the time of the first compromise attempt. The attackers had multiple files at their disposal, and they were experimenting with various payloads until they found something that worked well.

What to do when you suspect that this method has been used against your organisation

If you find yourself in this situation, our original discussion in September event provided some key steps to consider.

Limit the potential risk to your network by applying proper security settings in Remote Desktop Services. Disabling access to shared drives and the clipboard would limit the ability to copy files via RDP. Restricting other security settings may be useful as well. Note that limiting such functionality may impact usability
Try to identify any offending IP addresses. With newer versions of Windows, the OS logs Remote Desktop connection details in the Windows Event Viewer with the Event ID 1149. The logged information includes the user account that was used (i.e., the compromised account), as well as the IP address of the attacker.

Trend Micro customers may also take advantage of some of the product features, namely:

Check the product configuration for a product like Trend Micro OfficeScan. Specifically, check for an option like “Scan network drive” and make sure it is activated. This feature is usually disabled, but in some cases (like this one) it may be useful. It may even allow for the cleanup of the attacker’s host: the shared network drive (located under \\tsclient) has full read/write access by default. Activating the “Scan network drive” option cleans the contents of this shared drive.

Advanced network detection tools like Trend Micro Deep Discovery can monitor brute-force attacks. Multiple “Unsuccessful logon to Kerberos” and “Logon attempt – RDP” events could be signs of an ongoing brute-force attack, and allow the IT administrator to know if the attack was successful.  This should be monitored at all times for hosts that are exposed to the internet via RDP.

Oracle Java Card update boosts security for IoT devices
"Java Card 3.1 is very significant to the Internet of Things, bringing interoperability, security and flexibility to a fast-growing market currently lacking high-security and flexible edge security solutions."
Sophos hires ex-McAfee SVP Gavin Struther
After 16 years as the APAC senior vice president and president for McAfee, Struthers is now heading the APJ arm of Sophos.
Security platform provider Deep Instinct expands local presence
The company has made two A/NZ specific leadership hires and formed several partnerships with organisations in the region.
Half of companies unable to detect IoT device breaches
A Gemalto study also shows that the of blockchain technology to help secure IoT data, services and devices has doubled in a year.
Stepping up to sell security services in A/NZ
WatchGuard Technologies A/NZ regional director gives his top tips on how to make a move into the increasingly lucrative cybersecurity services market.
Huawei founder publically denies spying allegations
“After all the evidence is made public, we will rely on the justice system.”
Malware downloader on the rise in Check Point’s latest Threat Index
Organisations continue to be targeted by cryptominers, despite an overall drop in value across all cryptocurrencies in 2018.
IoT breaches: Nearly half of businesses still can’t detect them
The Internet of Thing’s (IoT’s) rapid rise to prominence may have compromised its security, if a new report from Gemalto is anything to go by.