Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label RDP. Show all posts
SMB
BlueKeep Botnet Botnet attack CVSS 4.0 Cyber Security Information Security RDP SMB

Prometei Botnet: The Persistent Threat Targeting Global Systems

 

The Prometei botnet, active since at least 2016, continues to pose a persistent threat worldwide by exploiting unpatched software vulnerabilities. First identified in 2020, Prometei has since infected over 10,000 systems across diverse regions, including Brazil, Indonesia, Turkey, and Germany. Its resilience stems from its focus on widely used software gaps, particularly in systems with weak configurations, unmonitored security measures, or outdated patches. The Federal Office for Information Security in Germany has labeled it a medium-impact threat, given its extensive reach and ability to bypass security protocols. Prometei operates by exploiting vulnerabilities in widely used software, spreading particularly through unpatched or poorly configured Exchange servers. 

Critical Start’s Callie Guenther highlights Prometei’s strategy of leveraging regions with inadequate cybersecurity, making it highly effective in targeting various systems regardless of location. One notable aspect is its ability to spread through legacy vulnerabilities, such as the BlueKeep flaw in Remote Desktop Protocol (RDP), which has a critical CVSS score of 9.8. By targeting these known issues, Prometei can quickly access poorly maintained systems that remain unprotected. A Prometei attack often starts with a series of network login attempts, typically originating from locations associated with known botnet infrastructure. Once access is secured, the malware tests various system weaknesses, particularly outdated vulnerabilities like BlueKeep and EternalBlue. If successful, it can propagate through Server Message Block (SMB) systems or use ProxyLogon flaws to exploit Windows environments further. 

Prometei’s use of outdated exploits could be seen as less sophisticated; however, its approach is strategic, focusing on identifying vulnerable, under-maintained systems rather than tackling those with robust security protocols. Once established in a target system, Prometei employs several techniques to maintain control and evade detection. For example, it uses a domain generation algorithm (DGA) to enhance its command-and-control (C2) system, allowing continuous operation even if some domains are blocked. It further manipulates firewall settings to ensure its traffic is not obstructed, enabling it to persist even after system reboots. Among its advanced methods is the use of the WDigest protocol, which stores plaintext passwords in memory. 

Prometei forces systems to store passwords in plaintext, then exfiltrates them while bypassing detection by configuring Windows Defender to ignore specific files. The primary goal of Prometei appears to be cryptojacking, as it harnesses infected systems to mine the Monero cryptocurrency without the owners’ knowledge. Additionally, it installs an Apache web server as a web shell, creating a backdoor for attackers to upload more malicious files or execute commands. Prometei’s presence, according to Trend Micro’s Stephen Hilt, often signals deeper security concerns, as it can coexist with other malicious software, highlighting vulnerabilities that attackers may leverage for various purposes. Interestingly, Prometei avoids certain regions, specifically targeting systems outside former Soviet countries. Its command-and-control servers bypass exit nodes within these nations, avoiding accounts tagged as “Guest” or “Other user” in Russian.

Older versions of Prometei also included Russian-language settings, hinting at a potential connection to Russian-speaking developers. The botnet’s name, “Prometei,” references the Greek titan Prometheus, symbolizing a persistence that echoes the botnet’s own sustained presence in global cyber threats. Prometei exemplifies the persistent and evolving nature of modern botnets. Its success in exploiting well-known but unpatched vulnerabilities underscores the importance of maintaining updated security systems. For organizations worldwide, especially those with legacy systems or lax monitoring, Prometei serves as a critical reminder to reinforce defenses against cyber threats, as outdated security leaves systems vulnerable to malicious actors seeking to exploit any gap available.
Read more »
Vulnerabilities and Exploits
Double extortion Encryption MFA Ransomware Attacks. RDP Remote Desktop Protocol Two Factor Authentication Unauthorized access Vulnerabilities and Exploits

Rapid Ransomware Dwell Time and Persistent RDP Vulnerabilities

The dwell period of ransomware hackers has decreased to just 5 days, a noteworthy trend in the constantly changing world of cyber dangers that demands prompt response. The urgent necessity for stronger cybersecurity measures is highlighted by the quick infiltration and encryption timeframe as well as the ongoing use of Remote Desktop Protocol (RDP).

The dwell time, which measures how long an unauthorized actor stays within a hacked system before launching a cyberattack, has substantially lowered to just 5 days, according to a report by BleepingComputer. This is a considerable decrease from the prior average of 18 days, indicating that threat actors are getting better at quickly entering target networks and deploying their destructive payloads.

The report also highlights the persistent use of Remote Desktop Protocol (RDP) as a primary entry point for ransomware attacks. Despite numerous warnings and documented vulnerabilities, RDP remains widely used due to its convenience in enabling remote access. Security experts have long cautioned against RDP's risks, emphasizing its susceptibility to brute force attacks and the potential for unauthorized entry.

A study by Sophos echoes these concerns, revealing that RDP-related attacks remain a prevalent threat vector. Cybercriminals exploit misconfigured RDP services and weak passwords to gain unauthorized access to systems, making them ripe targets for ransomware deployment. The consequences of such attacks can be devastating, leading to data breaches, operational disruptions, and substantial financial losses.

The widespread reliance on RDP is concerning, given the increasing sophistication of ransomware attacks. Attackers are employing various tactics, such as double extortion, where they not only encrypt sensitive data but also threaten to leak it unless a ransom is paid. This creates a multifaceted dilemma for organizations, forcing them to not only recover their systems but also mitigate potential reputational damage.

The security community has also discovered new RDP-related vulnerabilities, according to The Hacker News. These flaws include things like unreliable encryption, a lack of two-factor authentication, and vulnerability to 'pass-the-hash' attacks. The critical need for businesses to review their remote access policies and make investments in safer substitutes is further highlighted by these fundamental shortcomings.

Organizations must take a multifaceted approach to improve their cybersecurity defenses in order to counter these expanding threats. This entails putting in place tight access controls, enforcing strict password guidelines, and routinely patching and updating systems. Ransomware attacks can be considerably reduced with the use of more secure remote access technologies in place of RDP and thorough employee training.

Read more »
VPN
Cyber Security Endpoint Kaspersky Phishing email Ransomware Attacks. RDP Software VPN

Tackling the Top Initial Attack Vectors in Ransomware Campaigns

Ransomware attacks remain a major concern for organizations worldwide, causing significant financial losses and operational disruptions. A recent report by Kaspersky sheds light on the primary attack vectors used in ransomware campaigns, highlighting the importance of addressing these vulnerabilities to mitigate the risk of an attack.

According to the report, three common initial attack vectors account for the majority of ransomware campaigns: phishing emails, vulnerable remote access services, and software vulnerabilities. These vectors serve as entry points for threat actors to gain unauthorized access to systems and initiate ransomware attacks.

Phishing emails remain one of the most prevalent methods used by attackers to distribute ransomware. These emails often employ social engineering techniques to deceive users into opening malicious attachments or clicking on malicious links, leading to the execution of ransomware on their devices. It is crucial for organizations to educate employees about recognizing and avoiding phishing attempts and to implement robust email security measures to filter out such malicious emails.

Vulnerable remote access services pose another significant risk. Attackers target exposed Remote Desktop Protocol (RDP) and Virtual Private Network (VPN) services, exploiting weak or compromised credentials to gain unauthorized access to networks. Organizations should implement strong authentication mechanisms, enforce secure password practices, and regularly update and patch their remote access solutions to mitigate this risk.

Software vulnerabilities also play a crucial role in enabling ransomware attacks. Threat actors exploit known vulnerabilities in operating systems, applications, or plugins to gain a foothold in networks and deploy ransomware. It is essential for organizations to establish a comprehensive patch management process, promptly applying security updates and patches to address known vulnerabilities.

To effectively combat ransomware campaigns, organizations should adopt a multi-layered security approach. This includes implementing strong perimeter defenses, such as firewalls and intrusion detection systems, to detect and block malicious traffic. Endpoint protection solutions that utilize advanced threat detection and prevention mechanisms are also critical in identifying and mitigating ransomware threats.

Regular backups of critical data are essential to recovering from ransomware attacks without paying the ransom. Organizations should ensure that backups are stored securely, offline, and tested regularly to verify their integrity and effectiveness in restoring data.

Reducing the risk of ransomware attacks requires addressing the three primary attack vectors: phishing emails, weak remote access services, and software flaws. Businesses may fortify their defenses and lessen the effects of ransomware events by implementing strong security measures, employee education, timely patching, and backup procedures.
Read more »
SSH
Cyber Attacks Cybersecurity Hackers Honeypot Password Rapid7 RDP SSH

Data From Honeypots Shows Bot Attack Trends Against RDP, SSH



Rapid7's RDP and SSH honeypots were used to collect data over nine months between September 10, 2021, and September 9, 2022. This resulted in the discovery of tens of millions of attempted connection attempts during this timeframe. Honeypots were set up over two weeks in which they captured 215,894 unique IP source addresses, 512,002 unique passwords, and both RDP and SSH honeypots. A large portion (99.997%) of the passwords can likely be found in the text file rockyou2021.txt.

The Rockyou website was hacked in 2009 as a result of a security breach. Consequently, 32 million user accounts were found in cleartext by the attackers, and they stole them. There was an exposed list containing 14,341,564 passwords that eventually turned into the original rockyou.txt list of passwords. This list was widely used in dictionary attacks and is included with Kali Linux as an aid to penetration testing.

There have been numerous password lists added to the original over the years, and updated ones are constantly being added. A result of this research is the rockyou2021.txt collection, which comprises about 8.4 billion records. It is a 92 GB text file that contains about 8.4 billion passwords. There is a pre-release version of the code on the GitHub website for free download. 

Rapid7 explains in its report titled Good Passwords for Bad Bots (PDF), "We use the RockYou set of passwords as a source of passwords that attackers could generate and try to see if there was any evolution beyond the use of a password list." 

The fact that 99.99% of the passwords used to attack Rapid7 honeypots can be found on this password list probably comes as no surprise. This is because most of the passwords used are very common. There are only 14 of the 497,848 passwords that are not included in rockyou2021, out of 497,848 passwords that are involved in the SSH attacks.

There is also an IP address included with each of these files that represent the honeypot that has been hacked. As per Rapid7, there may have been a programming error in the scanner used by the attacker, which in turn makes this situation seem more likely.

In rockyou2021, only one password among those used to attack the RDP honeypots is not included among those that were used in the attack. There was a password 'AuToLoG2019.09.25' that was the thirteenth most prevalent in the entire country. This is a bit puzzling, but the report notes there are malware samples containing the ‘AuToLoG’ string. “The samples are classified as generic trojans by most antivirus vendors but appear to have RDP credentials hardcoded into them,” adds the report.

Besides the SSH mistakes in the example above and the one AuToLog password that was used to access the honeypot, every other password that was used in those honeypot attacks can be found in rockyou2021. In general, honeypot attacks are automated opportunistic bot attacks that prey on weak signals and extract data from them.

During Rapid7's analysis of the passwords that were used, the company found that standard, well-known passwords were preferred over less common passwords. The top five RDP password attempts were: (the empty string), '123', 'password', '123qwe', and 'admin', with '' (the empty string) coming in second. According to the statistics, 123456, nproc, test, qwerty, and password were the top five SSH password attempts over the last 12 months. All of these passwords, as well as all of the others, could have been obtained from rockyou2021.

Rockyou2021 is effectively nothing more than a massive list of words. Random ASCII and mixed ASCII string strings as well as special character strings do not fall under the definition. The number of possible ASCII seven-character strings is approximately 8.4 billion, which would mean that if we added up every possible variation of ASCII seven characters, it would take around 70 trillion possibilities to find the complete set.

With the length of a password being increased, the probability that this would happen will rise dramatically. From Rapid7's analysis, the overriding conclusion is that the use of long, strong random strings like those generated by password manager applications and which are not likely to be included in dictionaries would provide a very strong defense against opportunistic bot-driven automated attacks that are carried out by hackers.

Despite their low costs, Tod Beardsley, Rapid Seven's director of research, advises that these automated attacks are not complementary to each other, but are rather low-cost. As a result, this indicates that password managers are currently not the default method of generating and storing passwords, which signifies that this needs to change. It is imperative to note that password managers have one major drawback, which is that they are not always intuitive or easy to use.
Read more »
Vulnerability management
Cyber Attacks malware OST Ransomware RDP Secureworks Vulnerability Vulnerability management

Ransomware is Now the Top Attack Vector Due to Bug Exploitation

 



Security experts at Secureworks have revealed that vulnerability exploitation has accounted for 52% of ransomware incidents investigated by the company over the past 12 months. This makes it the number one initial access vector for attackers, according to a new report published by the company.

As an annual report, the security firm's State of the Threat report is compiled based on the insight gathered from the anti-terrorism unit of the organization over the past year.

A leading ransomware researcher has found that last year, ransomware actors mainly used vulnerabilities found in systems exposed to the Internet to increase their effectiveness, rather than to take advantage of credentials  often associated with the compromise of Remote Desktop Protocol (RDP), and using malicious emails.

Reports suggested that this shift in tactics may directly result from a significant imbalance between the capabilities of threat actors and network defenders. This imbalance may explain this shift in tactics.

At the same time as threats are rapidly weaponizing newly discovered vulnerabilities, developers of offensive security tools (OSTs) are also driven by the need to generate profit or keep their tools relevant  to implement updated exploit code as soon as possible, the report illustrated. 

A lot of people often overlook the fact that responsible disclosure is often about not having to wait for patches to become available. Even if a patch is available, the process of patching a vulnerability in an enterprise environment is far more complicated and much slower than the process for threat actors or OST developers of weaponizing publicly accessible exploit code.

As a result, vulnerability management teams must also take precautions against the persistent threat of credential-based attacks. In a recent report, Secureworks reported a 150% growth in the use of info-stealers that are designed to grab credentials from networks and gain access to them in an attempt to steal sensitive information.

There has been an investigation launched by an anti-virus vendor on a single day in June, during which it claimed to have observed over 2.2 million credentials, which were collected by criminals who stole information and made them available for sale on an underground platform.

According to Secureworks, ransomware continues to represent the number one threat to global organizations, accounting for more than a quarter of the attacks analyzed by the company. Among the threats that have been reported, most of them have been linked to Russian cybercrime groups.

So far this year, the good news is that the median dwell time of attackers has dropped from 22 days in 2021 to 11 days. This is a decrease of two days from last year, but it still leaves attackers with plenty of time to steal data from organizations and deploy the payloads for ransomware attacks.

Preventions for ransomware attacks


Safeguarding your systems from malware attacks includes simple yet effective measures like

• Never click on unknown or unauthorized links or stores.
• Never input your personal information on unofficial stores or websites.
• Never click on any unknown attachments on emails.
• Never plug into any unknown USB sticks.
• Never download any software or application from unauthorized sources.
• Always keep your systems up-to-date.
• Always work under VPN security while using public wi-fi.
 
To ensure that the vulnerabilities do not get exploited, you need to identify and address them as soon as possible. Keeping track of your vital systems and their security is impossible without implementing an effective vulnerability management system (VM). 

Choosing the right VM tools is important as they provide accuracy, guidance in the right directions, and efficiency, to help your team in dealing with the most critical vulnerabilities. Once you establish a scalable and sustainable VM program you will be capable of defending your systems from ransomware attacks.
Read more »
RDP
Brute-Force Attacks DDOS Attacks malware Microsoft Ransomware Attacks. RDP

Windows 11: Account Lockout Policy Set Against Brute Force Attacks

Brute force exploits are injected into ransomware and other sorts of unauthorized access since they typically rely on automated methods to test a massive amount of passwords for one or more user accounts. 

Beginning with Insider Preview version 22528.1000, Windows 11 automatically mitigates such exploits by capping the number of unsuccessful sign-in attempts at 10, for a period of 10 minutes.

"In order to reduce RDP and other brute force password vectors, DEFAULT account lockout policy is now enabled in Win11 builds. The command will make brute forcing more tricky, which is decent. This technique is frequently used in Human Operated Ransomware and other attacks," stated David Weston, vice president of OS and enterprise security at Microsoft.

Setting Lockout Policy

By establishing a threshold of between 1 and 999 failed sign-in attempts that would cause a user account to be locked, IT security professionals already had the option of preventing brute force attacks using the account lockout policy.

The Account lockout threshold policy enables configuring the maximum number of unsuccessful sign-in attempts before a user account is locked. Once locked, an account cannot be used again until the administrator unlocks it or until the time period provided by the Account lockout duration policy setting has passed. 

It suggested restricting the account lockout time to no more than 15 minutes and setting the account lockout threshold to a high enough number to cater to users mistakenly mistyping their passwords.

However, the reset account lockout countdown will eventually run out, giving the user three more opportunities if they wait and try to log in again the following day, effectively making it appear as though there have been no failed logins.

The effectiveness of brute force attacks is considerably reduced by restricting the amount of password entry tries, but Microsoft warns that threat actors could abuse this security feature to perform denial-of-service (DoS) attacks by locking multiple user accounts in an enterprise.


Read more »
Windows 11
Brute-Force Attacks Cyber Security RDP User Security Windows 11

Microsoft Adds Default Account Lockout Policy in Windows 11 to Block RDP Brute-Force Attacks

 

In the latest Windows 11 builds, Microsoft introduced default Account Lockout Policy which will automatically lock user accounts after 10 consecutive failed login attempts for 10 minutes. 

The account brute forcing process involves inputting a massive number of passwords consecutively using automated tools. The new policy blocks such attacks and can be found in Windows 11 Insider Preview Build 22528.1000 and newer. 

"Win11 builds now have a DEFAULT account lockout policy to mitigate RDP and other brute force password vectors," David Weston, Microsoft's VP for Enterprise and OS Security, stated. "This technique is commonly used in Human Operated Ransomware and other attacks - this control will make brute forcing much harder which is awesome!" 

Brute forcing credentials is a common methodology employed by hackers to infiltrate Windows systems via Remote Desktop Protocol (RDP) when they don't know the account passwords. The use of Remote Desktop Services is so popular among hackers that the FBI said RDP is responsible for nearly 70-80% of all network breaches leading to ransomware assaults. 

The tech giant is gradually blocking all entry vectors employed by ransomware attackers to infiltrate Windows networks and systems. Earlier this year, Microsoft made some security-focused changes including auto-blocking Office macros in downloaded documents and enabling multi-factor authentication (MFA) in Azure AD. The change was temporarily rolled back earlier this month, but it’s back now. 

“We’re resuming the rollout of this change in Current Channel. Based on our review of customer feedback, we’ve made updates to both our end user and our IT admin documentation to make clearer what options you have for different scenarios. For example, what to do if you have files on SharePoint or files on a network share,” Kellie Eickmeyer, Principal Program Manager at Microsoft, announced on Wednesday. 

Windows 10 systems also come with an Account Lockout Policy but are not enabled by default, allowing hackers to brute force their way into Windows systems with exploited Remote Desktop Protocol (RDP) services. Admins can enable this policy on Windows 10 in the Group Policy Management Console from Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Account Lockout Policy. 

This is a major step taken to enhance security since many RDP servers, particularly those used to assist teleworkers access corporate assets, are directly exposed to the Internet, exposing the businesses' network to attacks when poorly configured.
Read more »
Ryuk Ransomware
Astro Locker Data Breach ICedID Mandiant Threat Intelligence Mount Locker RDP Ryuk Ransomware

Quantum Ransomware was Detected in Several Network Attacks

 

Quantum ransomware, originally spotted in August 2021, has been found carrying out fast attacks which expand quickly, leaving defenders with little time to react. The assault began with the installation of an IcedID payload on a user endpoint, followed by the launch of Quantum ransomware 3 hours and 44 minutes later. It was identified by DFIR Report researchers as one of the fastest ransomware attacks it had ever seen. IcedID and ISO files have recently been utilized in other attacks, as these files are great for getting past email security safeguards.

According to Mandiant's M-Trends 2022 study, the threat actors began encrypting the victim's data only 29 hours after the first breach in a Ryuk ransomware assault in October 2020. The median global dwell period for ransomware is around 5 days. However, once the ransomware has been installed, the data of the victim may be encrypted in minutes. According to a recent analysis from Splunk, ransomware encrypts data in an average of 43 minutes, with the fastest encryption time being less than 6 minutes. 

The IcedID payload was stored within an ISO image which was presumably distributed by email in the examined Quantum ransomware outbreak. The malware was disguised as a "document" file, which was an LNK file designed to run a DLL (IcedID). Several discovery activities were run when the DLL was executed, utilizing various built-in Windows functions, and a scheduled job was constructed to ensure persistence. 

Cobalt Strike was installed into the victim system about two hours after the first breach, allowing the attackers to begin 'hands-on-keyboard' behavior. The fraudsters then began network reconnaissance, which included identifying each host in the environment as well as the active directory structure of the target organization. After releasing the memory of LSASS, the intruders were able to steal Windows domain credentials and spread laterally via the network. 

Cobalt Strike was also used by the attackers to collect credentials and test them for remote WMI detection tasks. The credentials enabled the adversary to log in to a target server through the remote desktop protocol (RDP), from which they attempted to distribute Cobalt Strike Beacon. The malicious actors then used RDP to access other servers in the system, where they prepared to deliver Quantum ransomware per each host. Threat actors eventually used WMI and PsExec to deliver the Quantum ransomware payload and encrypt devices via WMI and PsExec. 

The Quantum Locker ransomware is a rebranded version of the MountLocker malware, which first appeared in September 2020. Since then, the ransomware gang has gone by several names, including AstroLocker, XingLocker, and Quantum Locker, which is now in its current phase. 

While the DFIR report claims since no data exfiltration activity was detected in the assault they investigated, researchers claim the ransom demands for this gang fluctuate based on the victim, with some attacks seeking $150,000 in exchange for a decryptor. Quantum Locker, unlike its prior versions, is not a highly active operation, with only a few attacks per month.
Read more »
Subscribe to: Posts (Atom)