Lately, cyber criminals have been targeting enterprises through an often-found hole in the corporate network: Internet facing, poorly secured remote desktop servers.
The Senior Forensic IT Expert at Fox-IT – Wouter Jansen, claims that the company has lately been called in by a number of firms that have been attacked with ransomware, and some of those have let the hackers and the ransomware in through that channel.
“Entries in the log files show the attackers got access to the servers by brute forcing usernames and passwords on remote desktop servers that are accessible from the internet. Day in, day out, failed login attempts are recorded coming from hundreds of unique IP-addresses trying hundreds of unique usernames,” Jansen said.
“After brute forcing credentials to gain access to a remote desktop server, the attackers can do whatever the user account has permissions to on the server and network.”
Before, that meant the hackers attempting to exfiltrate information which can be sold on underground markets, adding the compromised system to a botnet, or using it to send out spam emails. However, later on some of the hackers have switched to deploying ransomware, in order to get paid quickly and avoid further complications.
“Depending on the segmentation and segregation of the network, the impact of ransomware being executed from a workstation in a client LAN might be limited to the network segments and file shares the workstation and affected user account can reach. From a server though, an attacker might be able to find and reach other servers and encrypt more critical company data to increase the impact,” Jansen explained.
Besides, cyber criminals can try to find out when the back-ups are made in order to decide when to execute the ransomware for maximum effectiveness. Usually, they are successful in keeping their presence in the corporate network secret until they trigger the malware.
Of course, this attack requires more work when compared to the usual ransomware flinging via exploit kits and phishing emails, but the pay-off is potentially much bigger, thus it is worth the extra effort.
Even the ransom demand is not one-size-fits-all – the attackers leave an email address through which they can be contacted, urging victims to enter in a negotiation about the sum to be paid to get the files back.
Fortunately, the above-mentioned type of attack can be easily foiled by admins. If making the remote desktop server remotely inaccessible is not possible, user accounts with remote access should have a complex, hard to guess password and two-factor authentication or two-step verification enabled. At the same time, the remote connection should be encrypted.