In the beginning of 2019 we dedicated several blogs to the Ryuk ransomware family that has been using RDP as an initial entry vector.
The sheer number of vulnerable systems in the wild make it a “target” rich environment for cybercriminals. Unfortunately, this did not stop other cybercriminals from using similar tactics, techniques and procedures (TTPs).
In November 2018, the FBI and the Justice department indicted two Iranian men for developing and spreading the SamSam ransomware extorting hospitals, municipalities and public institutions, causing over $30 million in losses. From its RDP launchpad, it would proceed to move laterally through a victim’s network, successfully exploiting and discovering additional weaknesses, for instance in a company’s Active Directory (AD). To gain an initial foothold on its victims’ networks, SamSam would often rely on weakly protected RDP access. At that time one of the most prolific targeted ransomware groups was SamSam. One of the methods of RDP misuse that we discussed was how it could aid deploying a targeted ransomware campaign. Last July, McAfee ATR did a deep dive on Remote Desktop Protocol (RDP) marketplaces and described the sheer ease with which cybercriminals can obtain access to a large variety of computer systems, some of which are very sensitive. Prior to this, RDP was already on our radar. This seems particularly relevant when (at the time of writing) 3,865,098 instances of port 3389 are showing as open on Shodan. These attributes make it particularly ‘wormable’ – it can easily be coded to spread itself by reaching out to other accessible networked hosts, similar to the famous EternalBlue exploit of 2017. Recently, McAfee released a blog related to the wormable RDP vulnerability referred to as CVE-2019-0708 or “Bluekeep.” The blog highlights a particular vulnerability in RDP which was deemed critical by Microsoft due to the fact that it exploitable over a network connection without authentication.
0 kommentar(er)
