In a recently released report by the UK National Cyber Security Centre (NCSC), whose findings have been backed by Canada’s Communications Security Establishment (CSE) and the US NSA and CISA (Cybersecurity and Infrastructure Security Agency), the agency has warned about active cyber attacks targeting biomedical organizations that are involved in the development of a COVID-19 vaccine.
On Friday, BitSight researchers shared the results of a study that looked for detectable security issues at a number of companies who play a big role in the global search for a vaccine, and found compromised systems, open ports, vulnerabilities and web application security issues.
Biomedical orgs under attack
The report details recent tactics, techniques and procedures (TTPs) used by APT29 (aka “Cozy Bear”), which the NCSC and the CSE believe to be “almost certainly part of the Russian intelligence services.”
The agencies believe that the group is after information and intellectual property relating to the development and testing of COVID-19 vaccines.
“In recent attacks (…), the group conducted basic vulnerability scanning against specific external IP addresses owned by the organisations. The group then deployed public exploits against the vulnerable services identified,” the report states.
Among the flaws exploited by the group are CVE-2019-19781 (affecting Citrix’s Application Delivery Controller (ADC) and Gateway), CVE-2019-11510 and CVE-2018-13379 (affecting Pulse Secure VPN endpoints and Fortigate SSL VPN installations, respectively) and CVE-2019-9670 (affecting the Synacor Zimbra Collaboration Suite).
The group also uses spear-phishing to obtain authentication credentials to internet-accessible login pages for target organizations.
After achieving persistence through additional tooling or legitimate credentials, APT 29 uses custom malware (WellMess and WellMail) to execute arbitrary shell commands, upload and download files, and run commands or scripts with the results being sent to a hardcoded Command and Control server. They also use some malware (SoreFang) that has been previously used by other hacking groups.
The report did not identify the targeted organizations nor did it say whether the attacks were successful and whether any information and IP has been stolen.
Biomedical orgs open to cyber attacks
As many security researchers pointed out, Russian cyber espionage groups aren’t the only ones probing these targets, so these organizations should ramp up their security efforts.
BitSight researchers have recently searched for security issues that attackers might exploit. They’ve looked at 17 companies of varying size that are involved in the search for a COVID-19 vaccine, and found:
- 25 compromised or potentially compromised machines (systems running malware/bots, potentially unwanted applications, spam-sending machines and computers behaving in abnormal ways) in the past year
- A variety of open ports (i.e., exposed insecure services that should be never exposed outside of a company’s firewall): Telnet, Microsoft RDP, printers, SMB, exposed databases, VNC, etc., which can become access points into a company’s network
- Vulnerabilities. “14 of the 17 companies have vulnerabilities and six of them have very serious vulnerabilities (CVSS score > 9). 10 companies have more than 10 different active vulnerabilities.”
- 30 web application security issues (e.g., insecure authentication via HTTP, insecure redirects from HTTPS to HTTP, etc.) that could be exploited by attackers to eavesdrop on and capture sensitive data, such as credentials, corporate email, and customer data.
“These findings are not abnormal when compared to other groups of large companies (e.g. the Fortune 1000), but given the heightened threat environment, they do provide cause for concern,” the researchers pointed out.
“It only takes a misconfigured piece of software, an inadvertently exposed port, or an insecure remote office network for a hacker to gain entry to systems that store scientific research, intellectual property, and the personal data of subjects involved in clinical trials.”
There’s a significant uptick in the number of unique clients who have reported brute-force attack attempts, ESET reveals.
Trend of RDP attack attempts against unique clients (per day) detected by ESET
The trend has been observed since the onset of the global pandemic. The COVID-19 crisis has radically changed the nature of everyday work, forcing employees to manage large parts of their jobs via remote access.
Cybercriminals exploiting remote work
Cybercriminals – especially ransomware operators – are aware of the shift and attempt to exploit the new opportunities and increase their illicit earnings. In the period between January 2020 and May 2020, the United States, China, Russia, Germany and France topped the list of countries with most IPs used for brute-force attacks.
“Before the lockdown, most employees worked from the office and used infrastructure monitored and controlled by their IT department. But the coronavirus pandemic has brought a major shift to the status quo.
“Today, a huge proportion of ‘office’ work occurs via home devices, with workers accessing sensitive company systems through Windows’ Remote Desktop Protocol (RDP), a proprietary solution created by Microsoft to allow connecting to the corporate network from remote computers,” explains Ondrej Kubovič, ESET Security Research & Awareness Specialist.
“Despite the increasing importance of RDP, as well as other remote access services, organizations often neglect its settings and protection. Employees use easy-to-guess passwords, and without additional layers of authentication or protection, there is little that can stop cybercriminals from compromising an organization’s systems,” Kubovič continues.
According to telemetry, most of the blocked IPs in January–May 2020 were seen in the United States, China, Russia, Germany and France. Countries that had the largest proportion of targeted IPs were Russia, Germany, Japan, Brazil and Hungary.
RDP has become a popular attack vector
RDP has become a popular attack vector in the past few years, especially among ransomware gangs. These cybercriminals often brute-force their way into a poorly secured network, elevate their rights to admin level, disable or uninstall security solutions, and then run ransomware to encrypt crucial company data.
However, other malicious actors try to exploit poorly secured RDP to install coin-mining malware or create backdoors, which can be used in case their unauthorized RDP access has been identified and closed.
Enterprises have been experimenting with work from home policies for years. Unfortunately, that experiment suddenly became the default this spring as local and state governments across the U.S. issued “stay at home” orders, leaving tens of millions of employees working from home for the first time.
According to the CSO Pandemic Impact Survey, the number of employees working at least 60 percent of the time from home has increased five-fold since the institution of social and work restrictions. Overnight, organizations faced the urgent need to provide employees secure and reliable access to sensitive company resources, often via personal devices and over home Wi-Fi networks.
What’s worse: open RDP or close up shop?
The need to maintain business operations required some IT teams to open up remote desktop protocol (RDP) to quickly provide employees at home access to their computers in the office. In March, Shodan reported significant growth in RDP exposed to the Internet.
While virtual desktops that use RDP represent a lifeline to the office, they also present a new attack vector. Recently, Kaspersky observed a surge in RDP brute force attacks across the globe as hackers took advantage of new workloads, vulnerable VPN connections, and misconfigurations that left the gates to the network open.
Remote Desktop is an attractive target for attackers because it’s common in enterprise environments, provides remote access to a Windows device, and leaves credentials exposed in memory. Once a bad actor gains access to a device, it can be used for a variety of malicious activities capable of compromising not only that device, but devices and data across the entire network. What’s more, RDP is frequently used for administrative purposes, and administrators are likely to have access to a wide array of privileged systems.
For attackers, successfully compromising RDP can save a lot of time, giving them a level of access that makes it easier to rapidly infiltrate the network, move laterally within it, and continue to escalate privileges to gain further access. While RDP can help keep employees connected and businesses running, its vulnerabilities can lead to the exposure of customer data or dangerous and costly leaks that could shake brand confidence.
RDP is risky business
Below are some of the most prevalent malicious RDP activities and the associated risks that IT teams should be aware of when enabling RDP access.
Exploit: Brute force attacks on RDP are low-cost and easy to perform. Using tools like Ncrack or Hydra, an attacker can implement a brute force attack on RDP accounts to discover weak passwords or valid login credentials. Even though this type of brute force attack is noisy, it can be highly effective due to the prevalence of weak and repurposed passwords. An attacker could also perform a scan to find and exploit known vulnerabilities. With valid credentials, an attacker holds the key to opening multiple RDP sessions from a single device in order to gain control of numerous devices on the network.
One of the most famous examples of RDP exploits is that of BlueKeep (CVE-2019-0708), a well-known vulnerability in Microsoft’s RDP implementation. BlueKeep allows an unauthenticated attacker to remotely run arbitrary code on an RDP server to grant administrator access to a network-accessible Windows system—all without user credentials. An attacker could then tamper with data or automate the process by installing malware to propagate to other Windows devices. RDP is commonly enabled on devices, which increases the likelihood that this threat will have a significant effect or even grind business services to a halt.
Exfiltration: After gaining access to a device with a poorly secured RDP, an attacker can easily transfer data. Unusual data transfers might signal suspicious activity such as sharing malicious files between compromised devices or data staging (the process of collecting and preparing data for exfiltration). If important, proprietary, or customer data is leaked, the consequences can be devastating.
Command & Control: With Command and Control techniques, attackers can use RDP to gain access to a network. This typically occurs when devices outside of the network attempt or make connections with in-network Windows devices using compromised credentials. If the RDP connection is not authenticated, or if the attacker connects to a device with limited privileges, the impact to a business can be low. However, these activities should be examined before they facilitate critical and costly attacks.
Reconnaissance: Before adversaries can execute an attack, they have to find a weak spot they can use to access the network and gain a foothold. While this type of reconnaissance does not negatively affect network performance, attack tools make it easy to discover devices with active Remote Desktop sessions, helping an attacker pinpoint a number of Windows devices to target.
Minimize the risks of a necessary evil
The reality is that RDP is a convenient attack vector, particularly now that more employees use VPNs and virtual desktops to access corporate resources. There are practical steps IT teams can take to mitigate the risks that can make a vital difference between an attempted intrusion and a major breach.
First, practice good hygiene. Disable remote desktop services unless required and install relevant patches for any affected devices as quickly as possible. Be sure to track in real time which devices are active and connected so no devices are inadvertently missed. Review access controls to ensure that only approved users can connect to remote access services.
Next, put up roadblocks. Run the RDP connection through a VPN or remote desktop gateway where login attempts will undergo more scrutiny. Enforce strong passphrase rules and enable two-factor authentication on all RDP and VPN traffic. Do everything possible to prevent lateral movement if a bad actor does get inside. Implement micro-segmentation by adding secure zones based on the zero-trust security model, and partition network traffic with endpoint firewalls, virtual software-defined networks, or physical networks.
Finally, IT teams should only enable RDP access temporarily and should not consider it a long-term fix for remote access. Instead, organizations may want to evaluate alternatives such as distributing company-issued laptops or Desktop-as-a-Service (DaaS) solutions.
As the world adjusts to large-scale remote work, RDP enables agility when it’s absolutely necessary. However, with cybercriminals and APTs actively seeking to exploit the opportunity, IT teams must be fully aware of and work to mitigate the serious risks that the protocol introduces to the business.
A new version of the Sarwent malware can open the Remote Desktop Protocol (RDP) port on target Windows computers to make sure that crooks can find their way back into the system through the backdoor.
Whether that access is used later by the same crooks or sold to ransomware gangs or cyber espionage groups is unknown, but affected users should know that removing the malware does not close that particular “backdoor”.
Sarwent’s new capabilities
Sarwent is a piece of malware that started out as a loader for other malware, but has recently been updated with two new functionalities, SentinelOne researchers discovered.
These never variants can now also:
- Execute commands via Windows Command Prompt and PowerShell
- Create a new Windows user account, enable the RDP service for it, and make changes to the Windows firewall so that RDP access to the infected machine is allowed
Removing the malware from the infected computer will not automatically close the RDP “hole”. Users, admins or paid “cleaners” also have to remove the user account set up by the malware and close the RDP access port in the firewall.
RDP access: A hot commodity
Gaining access to Windows machines via the Remote Desktop Protocol has become a preferred tactic of cyber crooks and ransomware gangs, though they usually scan for machines/servers that already have RDP enabled and then they try to brute-force the passwords that safeguard access through it.
Since COVID-19 spread across the globe and many employees started working from home, RDP use has soared.
The crooks wielding Sarwent want to increase the chances of retaining access to the machine after the malware is found and removed.
It might be that they want to use that access themselves, to reinfect the computer at a later date. It’s also possible that they plant to rent or sell that access to other cyber gangs or individuals.
Access to corporate networks and systems is regularly sold on dark web forums and marketplaces.
As COVID-19 slowly spread across the globe, consumer demand for commercial virtual private network (VPN) services has soared – both for security reasons and for bypassing geo-blocking of (streaming) content. Not unexpectedly, enterprise VPN use has also greatly increased, and so has the use of the Remote Desktop Protocol (RDP), a popular and common means for remotely managing a computer over a network connection.
Increased enterprise RDP and VPN use
Shodan creator John Matherly has pulled old and new data regarding devices exposing RDP and VPN protocols and ports to the Internet and has confirmed that:
- The number of devices exposing RDP to the internet on standard ports (3389) has grown by 41.5 percent over the past month
- The number of devices exposing RDP to the internet on non-standard but often used alternate ports (3388) has grown by 36.8 percent over the same period
- The number of servers running VPN protocols (IKE, PPTP, etc.) on different ports has jumped from nearly 7.5 million to nearly 10 million (by a third).
With the increased usage of these services comes an increase risk of compromise, though.
“[RDP] has a history of security issues and generally shouldn’t be publicly accessible without any other protections (ex. firewall whitelist, 2FA),” Matherly noted.
While helpful for allowing remote users to securely connect to corporate applications and resources, the VPNs set up by organizations are not immune to attack and compromise via known and unknown vulnerabilities, both on the client and server side.
Among the more recent examples are:
- CVE-2019-1573, a vulnerability that made a variety of VPN applications store the authentication and session cookies insecurely in memory and/or log files
- CVE-2019-11510, an arbitrary file reading vulnerability affecting Pulse Connect Secure SSL VPN installations
- CVE-2018-13379, a path traversal flaw in the FortiOS SSL VPN web portal
The latter two can be exploited remotely by sending a specially crafted HTTPS request, don’t require authentication, and allow attackers to download files/extract sensitive information from the vulnerable servers. They have also been actively exploited by attackers.
The healthcare industry has significantly more exposed attack surfaces than any other industry surveyed, according to Censys’s research findings of cloud risks and cloud maturity by industry, revealed at RSA Conference 2020.
Leveraging the Censys SaaS Platform, company researchers measured the occurrence of exposed databases and exposed remote login services – two key indicators of modern security risks – for the ten largest companies by revenue in seven major industries (Automotive, Energy, Hotels, Insurance, Manufacturing, Healthcare and Financials).
The healthcare industry showed significantly more exposed databases and more exposed remote login services.
Exposed databases by industry
Composed of pharmacies, healthcare providers, insurance providers and pharmaceutical manufacturers, the healthcare industry had an average of 13 exposed databases per company. The energy industry proved the least at-risk with only one exposed database per company.
Exposed Remote Desktop Protocol (RDP)
Healthcare also had the most exposed RDP servers per company with an average of eight. However this average is caused by one outlier with ten times the number of exposed RDP servers than the next highest company.
While cloud databases and remote working solutions provide a great deal of convenience and enable modern web applications, both provide attackers a common entry point and drive data breach attacks. Internet exposed databases put customer data at risk and RDPs pose risks of credential stuffing, reuse of stolen credentials, and specific software exploits.
“Along with enormous agility for the modern enterprise, the rise of cloud infrastructure in high-tech industries has created an incredible security challenge that only continues to grow,” said Jose Nazario, Ph.D., Principal R&D Engineer at Censys. “While all industries have guilty parties, healthcare’s attack surface is simply much bigger than they realize.”
In order to protect against breaches, companies must first gain visibility using a continuous attack surface monitoring platform. This enables businesses to be alerted to risks when they occur. Companies can then remediate the issue by reconfiguring an application to listen on a private network, employing VPN software, or simply ensuring a firewall ruleset is properly configured.
Ransomware tries to slip unnoticed past security controls by abusing trusted and legitimate processes, and then harnesses internal systems to encrypt the maximum number of files and disable backup and recovery processes before an IT security team catches up, according to a new Sophos report. Main modes of distribution for the major ransomware families Ransomware is typically distributed in one of three ways: as a cryptoworm, which replicates itself rapidly to other computers for maximum … More
The post Attack tools and techniques used by major ransomware families appeared first on Help Net Security.