Ransomware hits Australian businesses using Windows remote tool

Security experts have warned Australian companies to lock down Windows remote desktop protocol (RDP) access after finding ransomware that uses brute-forced RDP credentials to install file-encrypting ransomware.

Security firm Trend Micro has warned that a recently discovered ransomware family known as Crysis is targeting businesses in Australia and New Zealand using compromised credentials for RDP computers.

The protocol is used in enterprise to allow remote access to Windows systems, ranging from point of sale systems to networked peripheral devices, but has frequently been abused by hackers who scan for open ports commonly used for remote access and attempt default or weak passwords.

Trend Micro architect Jon Oliver said the ransomware also injects trojans to connected printers and routers in order to reinfect a network after attempts to cleanup the ransomware.

“We were able to monitor Crysis in cyber-attacks involving brute-forced RDP credentials and the ransomware executed via a redirected drive from the source computer,” wrote Jon Oliver, a senior architect at Trend Micro.

The attacks used a Windows feature for remote access called “redirections” that enable users to access and use files from local drives, printers, Clipboard, and supported plug and play and multimedia devices, he noted.

The Crysis malware campaign has targeted Australia and New Zealand business via spam, malicious attachments and compromised websites since the beginning of August, but the security company only recently discovered it was also using brute-forced RDP credentials.

RDP hit the radar in Australia in 2012 after a spate of attacks on local firms resulted in extortion and stolen credit card data from retail systems. Australia’s cyber security response team, CERT Australia, warned at the time that hackers were using weak or compromised credentials to infiltrate targets via servers running Microsoft RDP services.

CERT Australia said to limit remote access directly from the Internet on RDP servers by enforcing strong passphrase policies and implementing account lockout policies, and to use a VPN and two-factor authentication if remote access was necessary.

As noted by Krebs on Security, one criminal gang in 2013 was selling access to thousands of RDP installations that had terribly weak credentials. Security firm Trustwave in 2012 reported that “IP remote access” was the most common method for breaching organisations. RDP and other remote access tools such as Terminal Services, pcAnywhere, Virtual Network Client (VNC) were often used by third-party tech support to service clients, but if left enabled also gave access to attackers, it said.

noted by Krebs on Security: http://krebsonsecurity.com/2013/12/hacked-via-rdp-really-dumb-passwords/

“Would-be attackers simply scan blocks of Internet addresses looking for hosts that respond to queries on one of these ports. Once they have a focused target list of Internet addresses with open remote administration ports, they can move on to the next part of the attack: The number 2 most-exploited weakness: deafult/weak credentials,” Trustwave wrote.

Join the CSO newsletter!

Error: Please check your email address.

Tags two-factor authenticationremote desktop protocol (RDP)WindowsCrysisransomwarecybercrimeSecurity expertsIdentity & Accessfraud preventionJon Olivertrojanstrend micro

More about CERT AustraliaMicrosoftTrend MicroTrustwave

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts