Security experts have warned Australian companies to lock down Windows remote desktop protocol (RDP) access after finding ransomware that uses brute-forced RDP credentials to install file-encrypting ransomware.
Security firm Trend Micro has warned that a recently discovered ransomware family known as Crysis is targeting businesses in Australia and New Zealand using compromised credentials for RDP computers.
The protocol is used in enterprise to allow remote access to Windows systems, ranging from point of sale systems to networked peripheral devices, but has frequently been abused by hackers who scan for open ports commonly used for remote access and attempt default or weak passwords.
Trend Micro architect Jon Oliver said the ransomware also injects trojans to connected printers and routers in order to reinfect a network after attempts to cleanup the ransomware.
“We were able to monitor Crysis in cyber-attacks involving brute-forced RDP credentials and the ransomware executed via a redirected drive from the source computer,” wrote Jon Oliver, a senior architect at Trend Micro.
The attacks used a Windows feature for remote access called “redirections” that enable users to access and use files from local drives, printers, Clipboard, and supported plug and play and multimedia devices, he noted.
The Crysis malware campaign has targeted Australia and New Zealand business via spam, malicious attachments and compromised websites since the beginning of August, but the security company only recently discovered it was also using brute-forced RDP credentials.
RDP hit the radar in Australia in 2012 after a spate of attacks on local firms resulted in extortion and stolen credit card data from retail systems. Australia’s cyber security response team, CERT Australia, warned at the time that hackers were using weak or compromised credentials to infiltrate targets via servers running Microsoft RDP services.
CERT Australia said to limit remote access directly from the Internet on RDP servers by enforcing strong passphrase policies and implementing account lockout policies, and to use a VPN and two-factor authentication if remote access was necessary.
As noted by Krebs on Security, one criminal gang in 2013 was selling access to thousands of RDP installations that had terribly weak credentials. Security firm Trustwave in 2012 reported that “IP remote access” was the most common method for breaching organisations. RDP and other remote access tools such as Terminal Services, pcAnywhere, Virtual Network Client (VNC) were often used by third-party tech support to service clients, but if left enabled also gave access to attackers, it said.
noted by Krebs on Security: http://krebsonsecurity.com/2013/12/hacked-via-rdp-really-dumb-passwords/
“Would-be attackers simply scan blocks of Internet addresses looking for hosts that respond to queries on one of these ports. Once they have a focused target list of Internet addresses with open remote administration ports, they can move on to the next part of the attack: The number 2 most-exploited weakness: deafult/weak credentials,” Trustwave wrote.